J 



Europalsches Patentamt 
European Patent Office 
Office europeen dee brevets 




@ Publication number: 0 503 119 B1 



EUROPEAN PATENT SPECIFICATION 



Date of publication of patent specification : 
20.09.95 Bulletin 95/38 



©Int. CI. 6 : H04L9/30 



@ Application number: 91103933.7 



Date of filing: 14.03.91 



(3) Public key cryptographic system using elliptic curves over rings. 





@ Date of publication of application : 
16.09.92 Bulletin 92/38 


@ Proprietor : OMNISEC AG 
Trockenloostrasse 91 
CH-8105 Regensdorf (CH) 




@ Publication of the grant of the patent : 
20.09.95 Bulletin 95/38 


@ Inventor: Maurer, Ueli 
Weiherhofgasse 1 
CH-9500 Wil (CH) 




@ Designated Contracting States : 

AT BE CH DE DK ES FR GB GR IT U LU NL SE 






(§6) References cited : 

PROCEEDINGS OF CRYPTO '89 August 1989, 
NEW YORK (US)pages 186 - 192; BENDER ET 
AL.: 'ON THE IMPLEMENTATION OF ELUPTIC 
CURVECRYPTOSYSTEMS' 
PROCEEDINGS OF AUSCRYPT '90 January 
1990, NEW YORK (US)pages 2 - 13; MENEZES 
ET AL: THE IMPLEMENTAION OF ELUPTIC 
CURVECRYPTOSYSTEMS' 




m 






o 






co 







Note : Within nine months from the publication of the mention of the grant of the European patent, any 
O person may give notice to the European Patent Office of opposition to the European patent granted. 

Notice of opposition shall be filed in a written reasoned statement It shall not be deemed to have beun 
qj filed until the opposition fee has been paid (Art. 99(1) European patent convention). 



Jouve, 18, rue SaW-Donb. 75001 PARIS 



EP 0 503 119 B1 



Description 

This invention relates to a cryptographic communications system comprised of at least one communica- 
tion Jc anTaUeatro" encryption, a. least one decryption station said encrypKon and decrypt™ 
Sons being mutually linked through the communicates channel, and further compnsed of a trapdoor gen- 

erat ?n' the following, a cryptographic communications system of this type will be designated for short as as 
oneSy functton allowing message encryption and decryption, digital signature schemes and user identif , 

Retype of cryptographic system, generally known as a privacy system, prevents ^'^^'f^" 
h„ un^tho^ed partS fram messages transmitted over an insecure communication channel, thus assunng 
» S endeSfmess^ 

LnrSv^Jm^dtatel^atura scheme, allows the sender of a message to code this message .nto a 

imoersonate himself as the previously examined person (or computer). 

J ^nventional type of cryptographic privacy system allows a sender to transmit a plamtext message M 
to a raS over an^ra conlunicaL channels, e.g. a telephone line. At the sender's site, an encryp- 
ion de^ce e^es the plaintext message M with the help of a secret key into a ciphertext message > C ^whu* 
lion oevice en^*"" h » decrvDt ion device decodes the ciphertext message C back into 

Je^et key it is not feasible to determine the plaintext message M corresponding to a given ciphertext Onor 
^feasfbUodeterminethe secret key when given matching plaintext and ciphertext pa.rs. However one prab- 

oTneov^ 

- » set up as follows. A peraon wishing to sign d^ 

mentTe g V cheque) deposes an original version of his/her signature at the institution (e.g a bank) that s 
r D1 Ssed to later veri y the issued signatures. The original signature could also be made publicly available n 
SaLr^to?y f everybody should be enabled to verify the signature. The authenticity of documents 

SwiJv^SX (2) nobody else is capable of producing signatures that are sufficiently simHar to the 

^7^rntif!L 

' riten used^rmp^terapplicatL where it is impossible to verify certain IdenOfication cnteria (e^eye 
Z£?££2. TJ* crucS security problem: anyone who knows the password, for instance the computer 
to which a person has identified his/hersetf, can later impersonate as this person. 
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Messages exchanged in computer-based cryptographic systems are represented digitally, i.e. they are 
made up of sequences of numbers and/or letters. Therefore, it should seem inherently impossible to build a 
cryptographic digital signature system, since every signature would be a digital number that can trivially be 
copied and hence forged. Similarly, it should seem that no cryptographic identification protocol of the first kind 
5 discussed above could exist that prevents a verifier, after he has seen a digital number that convinces him of 
the identity of a person, from later reusing the same number to impersonate as the previously identified person. 

Reference will be made hereinafter to a "user" or "party 0 rather than to a "person" so as to indicate that 
in many applications, it is computer systems rather than persons that are communicating and the "user 0 or "par- 
ty" then is a device. 

10 A major breakthrough in cryptography was achieved in 1976 when W. Diffie and M.E. Heilman published 

their seminal paper "New directions in cryptography" in IEEE Trans, on Inform. Theory, vol. IT-22, pp. 664- 
654, Nov. 1976 (cf. also patent US-A-4200770). Diff ie and Heilman proposed a protocol by which two parties 
A and 6 who initially do not share any secret whatsoever can talk over a completely insecure channel (e.g. a 
telephone line that can be tapped by an eavesdropper), and at the end of the protocol each party comes up 

15 with one and the same secret key which it is for the eavesdropper completely infeasible to determine, even 
when given all messages exchanged between A and B. Moreover, Diffie and Heilman suggested that digital 
signature schemes could be set up if there could be devised a certain type of transformation based on a so- 
called trapdoor one-way function. However, Diffie and Heilman did not propose an implementation of a trap- 
door one-way function, nor did they prove that such a function exists. 

20 Loosely speaking, a trapdoor one-way function is a transformation that maps the elements of a domain 

set {D} to the elements of a range set {R} such that 

(1) the transformation is invertible, i.e., every element in the range set corresponds to exactly one element 
in the domain set, 

(2) given an element of the domain set, it is easy to compute the corresponding transformed element in 
25 the range set, and 

(3) given an element in the range set, it is completely infeasible to compute the corresponding element in 
the domain set unless one knows a secret piece of information (the trapdoor). 

Diffie and Heilman suggested that a trapdoor one-way function could be used in two different ways. In 
both applications, a user publishes a description of a trapdoor one-way function while keeping the trapdoor 

30 secret. Any other user can thus compute the forward transformation, but none except the legitimate user can 
feasibly compute the inverse transformation. Here and hereinafter, the solution of a problem is deemed infea- 
sible if no computer system known or conceivably available in a foreseeable future can solve the problem in 
a reasonable time (e.g. in less than 100 years). 

The first of the two applications suggested by Diffie and Heilman is called a public-key cryptographic sys- 

35 tern. A user can publicly announce an encryption transformation for plaintext messages of such kind that only 
this user has the capability of deciphering received ciphertext messages. This is achieved by using the trapdoor 
one-way function as the encryption transformation and its inverse as the corresponding decryption operation. 
Clearly, all users must agree on a common way of representing plaintext messages as elements of the domain 
set {D} and ciphertext messages as elements of the range set {R}. 

40 The second application suggested by Diffie and Heilman is called a digital signature scheme. A user can 

publicly disclose (e.g. register in a public directory simitar to the deposition of an original signature) a signature 
verification transformation such that only this user has the capability of generating the signature corresponding 
to a given message to be signed. This is achieved by using the trapdoor one-way function as the signature 
verification transformation and its inverse as the corresponding signature generation transformation. Clearly, 

45 all users must agree on a common way of representing messages as elements of the range set {R} and sig- 
natures as elements of the domain set {D}. Such a digital signature scheme satisfies the four criteria for sig- 
nature schemes mentioned above. In particular, transferring signatures is prevented by the fact that each sig- 
nature only signs one particular message. The fact that one can easily reproduce an issued signature does 
not harm the system because the signed message cannot be modified. The problem that someone can produce 

50 a signature at random without knowing which message it signs can be solved by requiring that the messages 
be of a special form, e.g. redundant. 

It may be noted that the trapdoor one-way function and its inverse are applied in respectively opposite 
order when a digital signature scheme and a public-key cryptographic system are performed. 

The first practical implementation of a trapdoor one-way function and thus, of a public key cryptographic 

55 system and a digital signature scheme based on Diffie and Hellman's idea, is described in patent US-A- 
4405829 to Rivest, Shamir and Adleman (cf . also R.L. Rivest, A. Shamir and L Adleman, "Amethod for obtaining 
digital signatures and public-key cryptosystems", Communications of the ACM, vol. 21, pp. 120-126, 1978. Ac- 
cording to this teaching, a user establishes a so-called RSA trapdoor one-way function by generating two large 
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prime numbers p and q (e.g. each having 100 decimal digits) and selecting a number e that is relatively prime 
to (p-1) and (9-1). Generating large prime numbers is feasible and known in the art (cf. for instance U.M. Maurer, 
"Fast generation of secure RSA-moduli with almost maximal diversity", Advances in Cry ptology - Eurocrypf89, 
Lecture Notes in Computer Science, Vol. 434, Springer Verlag, Berlin, 1990, pp. 636-647, or M.O. Rabin, "Pro- 
5 babilistic algorithms for testing primalty", J. of Number Theory, vol. 1 2, pp. 1 28-1 38, 1 980). The user then pub- 
lishes the product m = p qcfi the two primes as well as the exponent e and computes secretly the unique num- 
ber d satisfying the conditions 

0 ^o-^lcm[(p- 1),(q- 1)] 

and 

10 d-e s 1 (mod lcm[(p - 1 ),(qr - 1 )]) 

where Icm denotes the least common multiple of the numbers listed in the brackets and mod denotes the mod- 
ulo function, the following features of which are of particular interest hereinafter 

The meaning of congruence equation a = b (mod c) is that and b have the same remainder when divided 
by c, which is equivalent to the statement that (a - b) is a (possibly negative or zero) multiple of c. Hereinafter, 
15 unless specified differently, b can be any expression involving several numbers or variables, and a is equal 
to the smallest non-negative integer number that satisfies the above congruence equation a s b (mod c). For 
instance, the above two congruence equations 

0=id=ilcm(p- 1)(Q- 1) 

and 

20 de = 1 (mod lcm[(p - 1) (q - 1)]) 

can be replaced by the single equivalent equation 

ds1/e(mod(p-1M<7-1)). 
In the above mentioned teaching of Rivest, Shamir and Adleman, d is the secret trapdoor of the RSA trap- 
door one-way function. Finding d is generally believed infeasible since it requires knowledge of the prime fac- 

25 tors of the modulus m and it is generally believed that factoring large integers into their prime factors is a prob- 
lem infeasible by computation. 

The basic operation required to implement the RSA trapdoor one-way function as well as its inverse is 
exponentiation modulo the given number m, which will be called the modulus, while e and d will be referred 
to as the public and the secret exponent, respectively. 

30 There exist well-known techniques for implementing modular arithmetic (cf. for instance D.E. Knuth, "The 

art of computer programming", vol. 2, 2nd edition, Reading, MA: Addison-Wesley, 1981). In particular, a mod- 
ular exponentiation technique called "square and multiply" is known that is very fast, even when the exponent 
is a number having several 100 decimal digits. The domain set and the range set of the RSA trapdoor one- 
way function both are equal to the set Z m of non-negative integers smaller than m, i.e. {D} = {R} = Z m = 

35 {0,1 (m-1)}. 

To compute the trapdoor one-way function transformation for a given argument x e Z m resulting in the 
transformed value y, the argument x is raised to the e-th power modulo m, i.e. y s x* (mod m). The inverse 
transformation, viz. raising y to the d-th power modulo m, is similar but can only be performed when the trap- 
door d is known, and results in x as has been proved in the above-quoted publication by Rivest, Shamir and 

40 Adleman, i.e. xs/* (mod m). 

Another application of the RSA trapdoor one-way function was proposed by Fiat and Shamir in patent US- 
A-4748668 (cf. also A. Fiat and A. Shamir, "How to prove yourself: practical solutions to identification and sig- 
nature problems", Proceeding of CRYPTO'86, Lecture Notes in Computer Science, Vol. 263, Springer Verlag, 
Berlin, 1987, pp. 186-194). A simplified version of their identification protocol is discussed in the following. A 

45 user receives from a trusted authority the secret number s such that s 2 m ID (mod m), where ID is a number 
representing an identity information for identification of the user and m is the product of two large prime num- 
bers. It may be noted that s is the square root modulo m of the number ID. It has been shown that in order to 
be able to compute square roots modulo m one must know the prime factors of m, which are kept secret by 
the trusted authority. In order to prove itself, rather than to reveal s and allow the challenger to verify that s 2 

50 =ID (mod m) (and thereafter to enable the challenger to impersonate as the user), the user only proves that 
he knows s, but without revealing it In fact, one can prove that even if the identification protocol is repeated 
several times, a challenger cannot obtain any information about s whatsoever that he did not possess before 
execution of the protocol. 

In a simplified version, the Fiat-Shamir protocol works as follows. The user chooses a random number r 
55 in Z m that is relatively prime to m and sends to the challenger the number r 2 (mod m) together with the claimed 
identity information ID. The challenger challenges the user by issuing a randomly chosen binary number b. If 
o=0, the user must reply by sending r so as to prove that the previously sent z 2 was indeed a number of which 
it knew the square root If 0=1, the user must reply with the number ns (mod m) so as to prove that it knows 
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both rand s. Since the user can each time cheat in this protocol with a 50% chance only, namely when it guess- 
es the challenge variable b correctly in advance, the challenger can be convinced that the user knows s if the 
protocol is run several times consecutively. The probability of guessing correctly a sequence of n random bits 
is 2-", which is a very small number when n is sufficiently large. 

5 One way of breaking the RSA trapdoor one-way function is by computing the trapdoor exponent d. It has 

been proved that it is no easier to determine d than it is to find the prime factors p and q of the public modulus 
m, which, as mentioned above, is assumed to be a very difficult problem. However, it has not been proved 
that in order to break the cryptographic system based on the RSA trapdoor one-way function it is necessary 
to compute d and thus to factor m. 

10 Thus, it is an object of the present invention to provide cryptographic systems comprised of at least one 

encryption station, at least one decryption station and a trapdoor generator, which cryptographic systems are 
based on novel trapdoor one-way functions that are more secure than those previously proposed. 

A further object of the present invention is to provide public key cryptographic systems including a trapdoor 
one-way transformation function generator to provide message encryption and decryption, digital signature 

is schemes and user identification protocols, which trapdoor generator generates a novel trapdoor one-way func- 
tion that is more secure than those previously proposed. 

To attain these objects and others which will appear from the description of the invention given hereinafter, 
the invention provides a cryptographic system of the type defined above in the preamble of this specification, 
wherein the trapdoor generator is comprised of the combination of means alternatively defined in claims 1 or 

20 2. Preferred embodiments of the cryptographic system according to the invention are defined in the appended 
claims. 

The security of the cryptographic system according to the invention relies on the difficulty of factoring a 
large public modulus m as in the RSA cryptographic system. However, in the cryptographic system according 
to the invention the transformations involved are operations on so-called elliptic curves over a finite ring, re- 

25 suiting in transformations entirely different from those proposed by Rivest, Shamir and Adleman. 

In the paper "On the Implementation of Elliptic Curve Cry ptosys terns 0 by Bender et al. in "Advances in 
Cryptology- Proceedings of Crypto'89", Edited by G. Brassard, Springer- Verlag (1989), pp. 186-192, and also 
in the paper The Implementation of Elliptic Curve Cry ptosys terns" by Menezes et al. in "Advances in Cryp- 
tology - Proceedings of AUSCRYPT90", Edited by J. Seberry & J. Pieprzyk, Springer-Verlag (1990), pp. 1- 

30 1 3, it is disclosed that elliptic curves may be used to implement Diff ie-Hellman type public key cryptographic 
systems. In such systems, the public key is one element of the mathematical group the cryptosystem is based 
on. However, in public key cryptographic systems of the Rivest-Shamir- Adleman type the order of the math- 
ematical group constitutes itself or allows to compute the secret key the cryptosystem is based on, while said 
order is not an element of said mathematical group. 

35 Thus, a feature and advantage of the invention is that the problem of breaking a cryptographic system 

based on these novel functions is a mathematically different and possibly much more difficult problem than 
breaking a similar cryptographic system based on the RSA trapdoor one-way function. Accordingly, even if 
the RSA function would be broken in a way that does not compute the prime factors of m, the cryptographic 
systems of this invention still are secure. 

40 It is trivial to assign an element of the domain set of the RSA trapdoor one-way function to a given plaintext 
message in the case of the RSA public key cryptographic system. Any simple standardized transformation as- 
signing numbers selected in {0,1 (m-1 )} to strings of letters will do. If picture data or voice data is transformed 

in a cryptographic system, similar simple transformations can be applied. These transformations are indepen- 
dent of the cryptographic system used and have no influence on the security of the system. 

45 Clearly, if a string is too long (as can be the case for a public key cryptographic system) it can be divided 

into smaller sub-strings of suitable size. In a digital signature scheme, the well-known technique of hashing 
can be used to compress a long message to a sufficiently small number. In this context, a hashing function is 
a function that assigns to strings of arbitrary length a string of fixed short length (e.g. 50 characters). Obviously, 
several strings may hash to the same hashed value, but this does not affect the security of a signature scheme 

so if it is very difficult to actually find for a given message another message resulting in the same hashed value. 
Hashing functions having this property are called cryptographically secure hash functions, and an implemen- 
tation thereof can be based on any conventional cryptographic system (cf. A. De Santis and M. Yung, "On the 
design of provably secure cryptographic hash functions", to appear in the proceedings of Eurocrypf 90, Lecture 
Notes in Computer Science, Berlin, Springer Verlag). 

55 For the trapdoor one-way functions provided by the invention and described below, however, suitable 

transformations for mapping messages or identities into elements of the domain set D or the range set R with- 
out revealing the factorization of the modulus m still need to be defined. The solutions proposed to this effect 
are included within the scope of the present invention. 
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The invention will now be described in closer detail in the following, with reference to the accompanying 
drawings in which 

Fig. 1 is a block diagram of a cryptographic system according to the invention in a particular embodi ment 
thereof for use as a digital signature scheme; 
5 Fig. 2 is a block diagram of a cryptographic system according to the invention in a particular embodiment 
thereof adapted for message encryption and decryption; 
Fig. 3 is a block diagram of a cryptographic system according to the invention in a particular embodiment 

thereof adapted for generating parameters useful for user identification; and 
Fig. 4 is a block diagram of a cryptographic system according to the invention in a particular embodiment 
10 thereof adapted for verification of a user identity. 

To begin with, there is described the mathematical structures on which the embodiments of the present 
invention are based. These structures are the finite field GF(p), the finite ring Z m , and elliptic curves over finite 
fields and rings. 

A (mathematical) field consists of a set of elements and two operations, denoted addition and multiplica- 

15 tion, which satisfy certain properties. One of these properties is that a field must have a neutral element for 
multiplication, denoted 1 , such that for every element e there must exist an inverse element e~ 1 satisfying e-e* 1 
= 1. A well-known example of a field is the field of real numbers for which addition and multiplication is defined 
in the conventional way. It may be noted that the set of all integers does not form a field because there does 
not exist for every integer another integer that multiplies with it to 1 (e.g. 1/3 is not an integer number). Fractions 

20 would be required, and indeed, the set of all rational numbers (i.e. fractions) forms a field. In cryptography, 
one is particularly interested in finite fields, i.e. fields whose sets are finite rather than infinite as for the real 
numbers. One way to define a finite field is to specify a prime number p and then to let the set of elements of 

the finite field be the set of numbers Z p = {0,1 (p-1)} and the addition and multiplication operations be addition 

and multiplication modulo p, respectively. Such a field is denoted GF(p). As in the field of real numbers, one 

25 can also define a division operation. Thus, alb is the unique number c such that be = a (mod p). To give a 
simple example, in the field Gf\7) the set is {0,1,2,3,4,5,6} and for instance 3+8=4, 5 6=2 (since 30=2 (mod 
7), 0-4=0 and 3/4=6 (since 4-6=24=3 (mod 7). 

A mathematical structure analogous to the finite field GF{p) can be defined when the modulus is not a 
prime number. However, this new structure is not a field, as the following example illustrates. When computing 

30 modulo 6, there exists no number that when multiplied with 4 and reduced modulo 6 results in 1 . The reason 
is that the result of this multiplication would always be an even number. More generally, the problem is that 
the greatest common divisor of 4 and 6, denoted gcd[4,6], is not equal to 1 . A mathematical structure of this 
type is called a ring Z m and m is called its modulus, it has the property that division is not always defined. (A 
nice property of fields is that one can always divide, except by 0). Nevertheless, the ring Z m is an important 

35 structure in cryptography. 

In practical applications, the modulus m of the ring (or the field if m is prime) is a very large number for 
instance having 200 or more decimal digits. There exist well-known techniques for computing with such huge 
numbers (cf. for instance D.E. Knuth, quoted above). Addition and multiplication can be implemented by ordi- 
nary addition and multiplication, respectively, followed by a modular reduction modulo m, i.e. by a division by 

40 m where only the remainder is kept as the result The only non-obvious operation is that of division, which can 
easily be implemented by using the extended Euclidean greatest common divisor algorithm (cf. for instance 
J.D. Lipson, "Elements of algebra and algebraic computing", Benjamin/Cummings, Menlo Park, CA, 1981). Im- 
plementations of these field and ring operations for very large moduli are well known and widely used in cryp- 
tographic applications. 

45 Elliptic curves are mathematical structures that have been studied by mathematicians for decades. Only 

recently has their usefulness for cryptographic purposes been pointed out (cf. for instance N. Koblitz, "A Course 
in Number Theory and Cryptography", Springer Verlag, New York, 1987). They offer an alternative to finite 
fields for use in the Diff ie-Hellman public key distribution protocol (cf. for instance W. Diffie and M.E. Hellman, 
quoted above). The present invention exploits properties of elliptic curves that have not previously been used 

50 in cryptography. 

An elliptic curve over a field F consists of the set of distinct pairs of integers (x,y) which satisfy the equation 

y 2 s x 3 + a x + b , 

where a and b are parameters of the elliptic curve. Such a solution pair is called a point on the elliptic curve. 
In addition to the solution points of the above equation, an elliptic curve also contains a so-called point at in- 
55 f inity, denoted «>. 

In the following, interest is mainly directed to elliptic curves over finite fields GF(p) where p is a large prime 
number. For given parameters a and b satisfying 0 ^ a < p and 0 ^ b < p the points on the corresponding 
elliptic curve, denoted E p (a,b), are the pairs of integers (x,y) satisfying 
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0=ix<p 



0^y<p 

and 

5 y2 = x 3 + a x + b (mod p) . 

The number of points (including oo) on this elliptic curve E p (a,b) is denoted I E p (a,b) I and called the order 
of the elliptic curve E p (a,b). The order of an elliptic curve £ p (a,o) can be computed for instance by the Schoof 
algorithm (cf. R. Schoof, "Elliptic curves over finite fields and the computation of square roots mod", Mathe- 
matics of Computation, Vol. 44, No. 170, pp. 483-494, 1985). 

10 For example, considering the elliptic curve E l3 (0,1), i.e. the set of distinct pairs of integers (x.y) which sat- 

isfy the equation y 2 ■ x 3 + 1 (mod 13), there are 12 points on this curve, namely oo (which is on every curve), 
(4,0), (10,0), (12,0). (0.1), (0,12), (2,3), (5,3), (6,3), (2,10). (5,10) and (6,10). Hence |E 13 (0,1)| = 12. 

By defining an appropriate operation (called "elliptic-curve addition", although it has nothing in common 
with addition in a conventional sense) that assigns to every pair P,,P 2 of points a third point P 3 = P, + P 2 (called 

15 the "sum" of these points), an elliptic curve over a finite field can be interpreted as a finite (mathematical) group 
in which the point oo is the neutral element. The a-fbld multiple of a point P. denoted aP, is defined as the point 
obtained by consecutively adding P a number a of times: a P = P + P + ... + P where the number of terms in 

the sum is a. . 
The discrete logarithm problem on the elliptic curve having base point P is as follows. Given a point P\ 
20 find the smallest non-negative number x such that x P = P, if such a number x exists. The following set of 
rules specify how addition on elliptic curves can be implemented, i.e. how to compute P 3 = Pi + P 2 for given 

Pi = <*i./i) and p z = (*2.y2): 

= |f either P, = oo or P 2 = oo or both, then P 3 = ». 
= If X! = x 2 but y, * y 2 , which implies that y, s -y 2 (mod p), then P 3 = oo. 
25 = In all other cases P 3 = (x 3 ,y 3 ) = (x 1f/l ) + feyj is computed as follows. Let % be defined as 

t' s [(y 2 - yi)/(x 2 - Xi)] (mod p) if x^ * x 2 
t = [(3x* + ay(2y 1 )](modp)ifx 1 = x 2 
If none of the above two cases applies, the denominator is always non-zero and thus the division is defined. 
The resulting point P 3 = (x 3 ,y 3 ) is defined by 
30 x 3 s t 2 - x, - x 2 (mod p) 

y 3 = - * 3 ) - yi(modp) 
All operations (additions, subtractions, multiplications and divisions) have to be performed in the field GF(p). 
Clearly, when Pi = P 2 , then the first one of last equations is equivalent to x 3 = t? - 2x 1t the use of which may 
35 slightly speed up computation. 

For example, considering the same elliptic curve E 13 (0,1) as in the preceding example, the point P 3 = 
(2 3)+(6,10) can be computed as follows: t S (10-3)/(6-2) = 7/4 m 5 (mod 13); the last step follows from 4-5 ^ 
7 (mod 13). Hence x 3 ^ 52-2-6 ^ 4 (mod 13) and y 3 a -5(4-2)-3 ^ 0 (mod 13) and thus P 3 = (4,0). 

Elliptic curves are usually considered only over fields, but it is possible to extend the definition to elliptic 
curves over the ring Z m , where m is the product of a multiplicity rof distinct prime numbers p t A Pr. where- 
in , is an integer satisfying the conditions 1 , ^ r . The elliptic curve E m {a,b) is defined as the set of solutions 
pairs (x,y) satisfying the conditions 

0^x<m 

and 

45 Q^y< m 

and the congruence equation 

s x 3 + ax + b (mod m). 

For reasons explained below the point at infinity is not included in this case. According to the well-known 
Chinese remainder theorem, every point (x.y) on E m (a,o) can be uniquely represented as a list of r points on 
so . the elliptic curves E Pl (a,b) E pj (a,b) E Pr (a,o). i.e. as a list of pairs [(*,*) (x,,y l ),...,(x r ,x r )] where for 1 =i , 

^ r 

xj s x (mod Pi) 
y, = y (mod 

To compute the list [(x^y,) [x it yd (x rt x r )] for a given point (x,y) on E m (a,b) and vice versa is state of the 

55 art (cf. for instance J.D. Lipson, quoted above). 

An addition operation can be defined on E m (a,b) as follows. Two points on E m (a,b) can be added by first 
computing the corresponding two lists of points on E Pl (a,b),...,E Pl (a,b) E Pr (a,b), the addition being performed 
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by components according to the addition rule on elliptic curves over a finite field, and then computing the point 
on E m (a,b) corresponding to this list This operation is well-defined except when the resulting point on one of 

the elliptic curves E Pi (a,b) E^a.b) E Pr (a f 6), is the point qo since in this case it is impossible to transform 

the list of points back to E m (a,b). It may be noted, however, that when the prime factors a of m are ail very 
5 large, then the probability that the sum of two randomly selected points on E m {a f b) is not defined is extremely 
small. 

The key observation that will allow to build a trapdoor one-way function-based on computations on the 
elliptic curve E m (a,b), where the factorization of m is the trapdoor, is that the above defined addition operation 
can be executed using oniy operations in the ring Z m , i.e. without knowledge of the prime factors Pi,....a. »— .p r 
10 of m. This is achieved by simply using the same rule as for addition on an elliptic curve over a finite field, i.e. 
the two points P, and P 2 on E m (a,o) are added to result in P 3 = (x 3 ,y 3 ) = P, + P 2 by computing x according 
to the rule 

x = [(y 2 - yi)/(* 2 - («»d m) \fxi * x 2 
t s [(3x5 + a V( 2 yi)l ( mod m ) if x i = x 2 

15 and using the formulas 

x 3 s t 2 - x, - x 2 (mod m) 

y 3 ■ - * 3 ) - Xi (mod m) 
As indicated, all operations (additions, subtractions, multiplications and divisions) have to be performed 

20 in the ring Z m . A problem with the above addition rule is that the quantity t is not defined when the denominator 
is not relatively prime to m. This problem occurs if and only if one of the resulting points on the curves 
H Pi (a,6),...,E P| (a,b),...,Ep r (a,b), when considering the addition as performed by components, is the point at in- 
finity oo. As mentioned above, the risk that such a problem occurs when two randomly selected points on 
E m (a,b) are added is extremely small and can well be accepted as a very small risk of system failure. In fact, 
should such a problem occur, this failure could immediately be used to generate a non-trivial factor of m. There- 
fore, if factoring m is difficult such a failure cannot occur except with very small probability, since otherwise 
the very execution of a computation on E m (a,b) would be a feasible factoring algorithm, which is believed not 
to exist. Although E m (a,b) is not a group as would be required for most cryptographic protocols to guarantee 
their successful execution, one can prove (cf. for instance S. Goldwasser and J. Kilian, "Almost all primes can 

30 be quickly certified", Proceedings of the 18th ACM Symposium on Foundations of Computer Science, pp. 316- 
329, 1 986, wherein elliptic curves over rings are considered in a different context) that unless the computation 
fails by failure of a division (see above), E m (a,b) behaves for an observer just as if it were a group. In particular, 
all the cryptographic systems that will be discussed below work successfully as if E m (a,b) actually were a 

35 9">up. 

It is well-known that when prime factors of m are given, a computation in the ring Z m can be sped up by 
performing the computation modulo each prime factor p, separately, and then combining these results. 

To set up a trapdoor one-way function based on an elliptic curve over Z m , a user (or some trusted authority) 
can generate a modulus m that is the product of r suitably chosen distinct prime numbers p 1 ,...,p,,...,p r , i.e. m 
= PrPr- Pr-Pr> Tne user tnen secretly computes the orders of the elliptic curves 

40 | E Pi (a,b) | I E A (a,6) I I E*(a,b) | , the least common multiple of u of these orders, i.e. 

H = lcm[| E P| (a,b) | I E^a.b) I ..... I E Pr (a,b) I ], 

selects a public multiplier e relatively prime to \i, and computes the secret multiplier d according to the equation 

d= 1/e (mod 

45 The user then publishes m, a, b and e. The domain set{D} and the range set{R) of the trapdoor one-way func- 
tion both are equal to the points (x,y) on the elliptic curve E m (a,b). For a given point P, the trapdoor one-way 
function transformation resulting in the point Q is defined by 

Q = e-Pon E m (a,D). 
and the corresponding inverse operation is defined by 

so P = d-0 on E m (a,0). 

It can be shown that although the addition operation on E ro (a,b) is in some very special cases not defined, the 
point Q = e-P is always defined. For a large number e a point P can efficiently be multiplied by e by using 
the so-called repeated doubling method (cf. for instance D.E. Knuth, quoted above). Let 0^.^.2^60 be 
the unique binary representation of e such that e^l and e = 2 k + e k _ r 2 k - 1 + ... + ©r2 + e 0 - Then Q 

55 = e-P can be computed by computing the sequence fyP 9 f?P §m ,fvP & points where /j is the number repre- 
sented by the first i bits of e^. ie k . 2 ...e 1 eb f i.e. /j is the quotient when e is divided by 2K For instance, 37 is 
represented in binary as 100101 and hence the point Q = 37P can be computed by computing 2P=P+P, 
4P=2P+2P, 8P=4P+4P, 9P^8P*-P, 18P=9P+9P, 36P=18P+18Pand Q= 37P= 36P+ P. It may be noted that 
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the number of addition operations that must be performed is only equal to the length of the representation of 
e plus the number of 1's in this representation minus 2, which is much smaller that e itself. Fore = 37 the number 
of required additions is 7. 

Clearly, the system can also be set up for a fixed public multiplier e, for example e = 5, which in this case 
5 still is considered to have been selected, although but once for all. The only modification required is that the 
selected prime numbers a must satisfy the condition that (pi+1) and e are relatively prime. 

In Fig. 1 there is shown a block diagram of a digital signature scheme based on the above described trap- 
door one-way function in which a user A can generate a signature corresponding to a given message and trans- 
mit the signature to one or several verifiers who can verify the authenticity and integrity of the signed message. 
10 For the sake of simplicity, only one verifying user (user B) is shown in Figure 1 . 

A user A wishing to later sign messages uses a trapdoor generator TG to generate the parameters m, a, 
b, e and d and registers the public parameters m, a, b and e together with his name in a public directory PD. 
These parameters correspond to the original signature that is deposited for later reference in a conventional 
signature system. 

is The directory need not be public, and in fact in many application the signer may only wish to enable a se- 

lected set of users to verify his signatures by exclusively providing them with the parameters m, a, b and e. 
The parameter d is a secret parameter that is stored secretly by the signer. 

Given the system parameter r, the trapdoor generator generates r prime numbers Pi,...,A Pr and forms 

their product m = PvPr Pr a and b are appropriately chosen integer numbers satisfying the conditions 0 ^ a 

20 < m and 0 s b < m. The trapdoor generator then computes the orders of the elliptic curves 

E Pi (a,b) E Pi (a,b) E ft (a,b), computes \i according to 

u = lcm[ | E Pi (a,o) | |E ft (a,b)| |E Pr (a,b) I], 

chooses an appropriate number e that is relatively prime to p., and computes d=Me (mod u). 

In order to sign a message M represented by an integer x, user A converts x it into a point Q(s,f) on the 

25 elliptic curve E m (a,b) using a message-to-elliptic-curve converter ME. In a preferred embodiment, this is ach- 
ieved by choosing the first coordinate s of Q as a well-defined public function of x such that s 3 + as + b is 
a quadratic residue (a square) modulo m. For instance, if x is a message in the range 0 ^ x < m/1000, then s 
could be defined as the smallest integer greater or equal to 1 0OOxsuch that s 3 + as + b is a quadratic residue 
(a square) modulo m. The point on E m (a t b) that uniquely represents the message x is then defined as (s.Q, 

30 where r is one of the 2 r square roots modulo m (for instance the smallest one) of s 3 + a s + b. The square 
root of a number s modulo m, which exists if and only if s=0 or s is a quadratic residue modulo m, can easily 
be computed when the factors of m are known, by computing the square roots of s modulo each prime factor 
pi of m and combining the results using the Chinese remainder technique. For prime factors pj of m for which 
(pi+1) is divisible by 4, a square root of a number can be computed by raising this number to the power (p,+1 )/4 

35 modulo m. When (pp1) is divisible by 4, Peralta's efficient algorithm can be used (cf. R. Peralta, "A simple and 
fast probabilistic algorithm for computing square roots modulo a prime number", IEEE Transactions on Infor- 
mation Theory, Vol. IT-32, pp. 846-847, 1986). 

The signature message S corresponding to the message M = <x> is obtained by computing the point P(u,v) 
on E m (a,b) in an elliptic-curve computation means ECC according to 

40 P(u,v) » d-Q(s,r) 

and converting P into a signature message S using an elliptic-curve-to-message converter EM. The signature 
message S is represented by the two integer number u and v, i.e. S = <u,v>. A transmitter TR is then used to 
send the signature message S over communication channel COM to user B. 

Clearly, the conversion from P to S in the elliptic-curve-to-message converter EM of user As device in 

45 Fig. 1 is trivial and consists in forwarding to the transmitter TR the binary representations of two integer num- 
bers u and v either unchanged or concatenated, as may be required for input to the transmitter TR. The elliptic- 
curve-to-message converter EM is shown included in user A's device in Fig. 1 merely to represent and interface 
the different nature of the mathematical objects P and S, the former being a point of the elliptic curve and the 
latter a message. 

50 Upon receiving the signature message S over communication channel COM using a receiver RC, user B 

converts the signature message S into a point P = {u,v) on the elliptic curve E m (a t b) using a message-to-el- 
liptic-curve converter ME, then computes the point Q(s,Q on E m (a,b) in an elliptic-curve computation means 
ECC according to 

Q(s,f) = e ■ P(u,v) 

55 and converts the obtained point Q into message Af = <x> using an elliptic-curve-to-message converter EM. 
This last step is easily achieved in the above described preferred embodiment by extracting the number x rep- 
resenting the message Mfrom the coordinate s of P simply by dividing s by 1000. 
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Clearly again, the conversion from S to P in the message-to-elliptic-curve converter ME of user B f s device 
is trivial and consists in forwarding to the elliptic-curve computation means ECC the binary representations 
of two integer numbers u and v either unchanged or separated, as may be required by the output of the receiver 
RC. The message-to-elliptic-curve converter ME is shown included in user B's device in Fig. 1 merely to rep- 
resent and interface the different nature of the mathematical objects S and P, the former being a message 
and the latter a point of the elliptic curve. 

If sufficient redundancy is included in the integer x representative the message M, an eavesdropper can 
be prevented from generating signatures at random in an attack where he does not care about which message 
the forged signature actually corresponds to. For instance, s can be the smallest integer greater or equal to x 
for which there exists an integer t such that Q(s,f) is representative of a point on E m (a,b). To ensure that such 
an integer s actually can be found and cannot be representative of another message tha n M = <x> , in a preferred 
embodiment there are accepted as messages only such integers whose binary representation has a prede- 
termined number of least significant bits all having a same binary value which can be "one" or "zero". For in- 
stance, the 30 least significant bits of s all are zeros. This provision at the same time also ensures that the 
transmitted message has an inherent redundancy sufficient to make it completely improbable that a randomly 
selected point Q(s,f) on E m (a,b) might be representative of a duly signed message M. The occurrence of said 
redundancy finally is checked by user B in a verification means VM. 

Unfortunately, the above described trapdoor one-way function cannot be used to build up a public-key 
cryptographic system, because without knowing the factorization of m it is infeasible by computation to find a 
point on E m (a,b) that can be associated with a given number x representing a message M. 

The new trapdoor one-way functions according to the invention are based on the observation that there 
exist certain classes of elliptic curves which all have the same order. 

= It can be shown that if (p,+1) is divisible by 3 and a=0, then for all b satisfying the conditions 0 ^ b < p, 
the order of the elliptic curve E^O.o) just is I E Pl (0,o) I = (p,+1). 

= Similarly, it can be shown that if (p,+1) is divisible by 4 and 5=0, then for all a satisfying the conditions 
0 ^ a < p, the order of the elliptic curve Ep,(a,0) just is | E^O.o) I = (Pj+1). 

The fact that the order of all elliptic curves in a class of elliptic curves is the same allows to compute the 
parameter p even though the actual elliptic curve is determined only later, when a message is being selected. 
A crucial observation is that when either one of the parameters a or b of the elliptic curve E m (a f b) is fixed, then 
the step of selecting a point (x,y) on the elliptic curve uniquely determines the other parameter b or a, respec- 
tively. 

Allowing messages to be pairs (x.y) of integers representative of a point P(x,y) of the elliptic curve rather 
than being only one of two coordinates (e.g. the coordinate x as in the trapdoor one-way function described 
above) offers two major advantages. The first advantage is that it is not necessary to compute the second 
coordinate corresponding to the given message coordinate, which computation in general requires knowledge 
of the prime factors of m (this is the very reason why the trapdoor one-way function described above can only 
be used as a digital signature scheme, not as a public key cryptographic system). The second advantage is 
that the message size is doubled and thus the encryption can be sped up by a factor of 2. 

Fig. 2 shows a public-key cryptographic system based on either of the above described choices of para- 
meters and in which a user A publishes the description of an encryption transformation for which he but nobody 
else can feasibly perform the corresponding decryption operation. Any other user can then send cryptograph- 
ically secure enciphered messages to user A without sharing any secret key with him. For the sake of simplicity, 
only one other user (user B) is shown in Fig. 2. 

The following description is given for the first choice of parameters, and a slight modification required for 
the second choice of parameters will be described later. 

In order to set up the public-key cryptographic system, user A uses the trapdoor generator to generate 
parameters m, e and d. Given the system parameter r, the trapdoor generator generates r prime numbers 
p 1f ... t p,, ,...,p r such that, for each of them, the respective value p,+1 is divisible by 3, and then forms their product 
m = Pv Pr Pr The trapdoor generator then computes u, according to 

u = lcm[p 1 + 1,...,A + 1 Pr+1], 

chooses an appropriate number e that is relatively prime to u. and computes d according to 

cfs 1/e(mod u). 

User A then publishes the two parameters m and e and stores the parameter d secretly. The dashed line in 
Fig. 2 indicates that user B receives user A's published parameters, for instance by using a public directory 
service. 

To encipher a message M = <x,y > for user A, where the message consists of a pair of integers (x,y) sat- 
isfying the conditions 0 ^ x < m and 0 =i y < m, user B considers the elliptic curve E m (0,D) on which the point 
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P(x,y) is located and computes a point Q{w,z) on the same elliptic curve in an elliptic-curve computation means 
ECC according to 

Q(iv t z) = eP(x,y) 

The parameter 6 is implicitly given by b = y 2 - x 3 (mod m), but it need not be computed since the elliptic curve 
5 addition (and thus also the multiplication) algorithm do not depend on b. In other words, the elliptic curve on 
which the points P and O are located is implicitly defined but no explicit description is required. The encrypted 
message which is then transmitted by a transmitter TR over an insecure communication channel COM consists 
of a pair of integers (w,z) representative of the point Q, i.e. the encrypted message is Q - < w,z>. 

Upon receiving the ciphertext message Q = <w,z> over the communication channel COM by means of a 
10 receiver RC, user A computes the point P(x,y) on the same elliptic curve in an elliptic-curve computation means 
ECC according to 

P(x,y) = d-Q(w,z) f 
whereby the plaintext message M = <x,y> is recovered. 

The following example illustrates this public-key cryptographic system for a set of parameters that are 

15 much too small to offer any security at all. In a preferred embodiment, m could be the product of two primes 
each having 100 to 150 decimal digits. 

Let r=2 and let the two primes be p,=17 and p2=23. Thus, m=17-23=391. It may be noted that both (Pi+1) 
and (P2+1) are divisible by 3. Therefore, I E n7 (0 f 6) | = 17 + 1 = 18 and I £23(0,6) I = 23 + 1 = 24 for all 6*0, 
hence p = lcm[18,24] = 72. Let further e=5, which implies that d=29 since 5-29=145 s 1 (mod 72). Consider 

20 a message represented by the pair of integers <127,203>. This implies that 6=220 and thus that all computa- 
tions will actually be on the elliptic curve (0,220), but it actually is not necessary to know b in order to use 
the system. To encipher the message point P=(1 27,203) it must be multiplied by 5. This is achieved by con- 
secutively computing 2P=P+P, 4P=2P+2P and 5P=4P+P. The computation of 2P = (x 2f y£ - 
(127,203) + (127,203) will be demonstrated in detail. According to the rules of addition on an elliptic curve 

25 E m {a,b) one computes x=3- 1272/(2-203). One has 31272= 48387 = 294 (mod 391) and 2 203 ■ 15 (mod 391). 
Now, 1/15 (mod 391) is found to be 365, as can easily be verified by checking that 15-365 = 1 (mod 391). Thus 
one obtains t = 294/15 ■ 294 365= 176 (mod 391), x 2 s 1762-2127=30722 = 224 (mod 391). and y 2 = 176 (127- 
224)-203=-17275 ■ 320. Hence 2(127,203)=(224,320) on the elliptic curve. Similarly, one finds that 
4P=(224,320)+(224,320)=(350,230) and O=5-P=(127 f 203)+(350,230)=(364, 261). The ciphertext message is 

30 thus the pair of numbers <364,261 >. In a similar way as for the computation of O = 5-P one can also perform 
the deciphering operation P = 29-Q by computing consecutively 2Q=Q+Q, 3Q=2Q+Q, 6Q=3Q+3Q, 7Q=6Q+Q, 
14Q=7Q+7Q, 28CM4Q+14Q and finally 29 Q=28Q+Q=P=( 127,203). 

As mentioned above, another possible choice of the parameters is to let p f +1 be divisible by 4 and 6=0. A 
public-key cryptographic system can be set up in a manner completely analogous to the above description. 

35 The only change required is due to the fact that the elliptic-curve addition operation depends on a, while it is 
independent of 6. Thus, the elliptic-curve computation means ECC of Fig. 2 must compute a according to 

as[(y2/x) - x 2 ](mod/n) 

and 

as[(z 2 /w) - w 2 ] (mod m), 
40 respectively, prior to performing the elliptic-curve multiplication. 

It will be apparent that the two above-described trapdoor functions can also be used to set up a digital 
signature scheme in which messages and signatures consist of pairs of integers representing points on a par- 
ticular one of a class of elliptic curves. 

The same trapdoor one-way functions as described above can also be used to set up user identification 
45 protocols. 

One particular preferred embodiment of such a system is described in Figs. 3 and 4 and involves a com- 
bination of a trusted authority device TA, a verifying device VD and user identification devices ID which are 
for instance embodied as security modules or smart cards. 

Before issuing the first identification device, a trapdoor generator TG provided in the trusted authority de- 

50 vice TA secretly chooses r prime numbers p^ ,...,pi, p r such that, for each of them, the respective value p,+1 

is divisible by 3, and then forms their product m = p r -p r p r The trapdoor generator TG then computes u ac- 
cording to 

H = Icmfp, + 1 p, + 1 p r + 1], 

chooses an appropriate number e that is relatively prime to u. and computes d according to 
55 d=Me (mod \i) 

A transmitter TR provided in the verifying device VD of the trusted authority then makes public the para- 
meters m and e as well as an easy to compute function f that assigns pairs of integers (x,y) satisfying the con- 
ditions 0 ^ x < m and 0 ^ y < m to identification strings. For instance, this function f could be defined as "splitting 
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the identification string in two halves and representing each half as one integer". 

Also, it is preferred to store m and e into a storage means SM provided in the verifying device VD, else 
the verifying device VD would later have to interrogate a public directory for parameters m and e instead of 
having obtained them directly from the trusted authority device TA. 

When a user applies for an identification device ID, the trusted authority checks his identity and forms a 
string /uniquely representative of this identity, /could contain the user's name, physical description, clearance 
information, expiration date of the device, and so on. A message-to-elliptic-curve converter ME provided in 
the trusted authority device TA then computes a pair of integers (x,y) representative of a point P on an elliptic 
curve according to 

P(*>y) = M, 

The trusted authority device TA then computes a point Q(s,f) on the same elliptic curve in an elliptic-curve 
computation means ECC according to 

Q(s.Q = dP{x,y) 

and stores m, e, P and Q into a storage means SM of the applying user's identification device ID. 

In order to prove a user's identity to a verifier, the user's identification device ID performs the following 
protocol with the verifying device VD of the verifier. 

First, a random integer generator RIG provided in the identification device ID chooses a random integer 
r satisfying the condition 0 =i r s / wherein / is an integer provided as a setting in the identification device and 
satisfying the condition / < m. Then, an elliptic-curve computation means ECC provided in the identification 
device ID computes a point U(u x ,u y ) of the same elliptic curve as that on which P is located, according to 

U(u xt u y ) = rP(x f y). 

In a preferred embodiment, the computation of U is performed during an idle time of the identification de- 
vice, when no identification procedure is performed. Integerrneed not be chosen at random each time, instead, 
several random points U{u x ,u y ) could be stored for instance in the storage means SM and combinations thereof 
can be formed each time a point U(u x ,u y ) is required. It is important in this case that the set of random points 
U(u x ,u y ) be updated sufficiently often. 

The identification device ID then computes in the elliptic-curve computation means ECC a point V(v Xf v y ) 
of the same elliptic curve as that on which P is located, according to 

V(v„v y ) = e • U(u x ,u y ) 

The identification device ID then sends the claimed identity / and the message (v x ,v y ) representative of 
the point V(v x ,v y ) to the verifying device VD of the verifier, use being made of a transmitter TR provided in the 
identification device ID and of a receiver RC provided in the verifying device VD. 

The verifying device VD first makes an initial check, possibly in cooperation with an examining person mak- 
ing a physical description of a user person to be identified, if any. The physical description of the user person 
(e.g. his/her fingerprint, eye background, etc.) is compared with that claimed in the string /. Optionally, also 
the expiration date or other parameters may be checked. 

The verifying device VD then randomly selects a random integer k satisfying the condition 0 k ^ ( e - 
1 ) and sends k as a challenge to the identification device ID, using a transmitter TR provided in the verifying 
device VD. 

The identification device ID is provided with a receiver RC for receiving k from the verifying device VD, 
and it has to respond to the challenge by sending an answer {w x ,w y ) representative of the point W(w x ,w y ) defined 
by 

W(w xt w y ) = U(u x ,u y ) + K-Q(s,f) 
which it computes with its elliptic-curve computation means ECC. By means of the transmitter TR provided in 
the identification device ID, the latter's answer (iv x , w y ) representative of the point W^w^Wy) is transmitted to 
the verifying device VD where there are computed, by means of an elliptic-curve computation means ECC 
and the storage means SM provided in the verifying device VD, points r,(f v f 1y ) and T^i^ty of the same elliptic 
curve as that on which P is located, according to 

7-i(f v f lf ) = e . W(w xi w y ) 

and 

T&Jk) = V(v x ,v y ) + *P(x,y) 
wherein P(x,y) is computed according to P{x,y) = f{f) as described above in respect of the trusted authority's 
computation. 

Finally, in a comparator CMP provided in the verifying device VD, it is checked whether points 7i(f v f^) 
and T 2 (^y are identical: in the affirmative, the identification device ID and its user are accepted as genuine, 
in particular, it is ascertained that the identification-requesting user actually is that one which corresponds to 
the identification string /. 
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It can be proved that the only possible way by which a fraudulent impersonator who does not know the 
point Q(s,f) could cheat is to guess the challenge number k correctly in advance. The chances of success are 
only 1:e, which is very small when e is sufficiently large. In a preferred embodiment e is a prime number of 
the order of for instance 1 0 6 to 1 0 9 . This protocol can also be repeated several times to further reduce an eaves- 

5 dropper's chance of successful impersonation. 

The following may be noted, which will readily appear from the preceding description of the invention. Gen- 
erally, in a cryptographic system according to the invention, if the system is used for public-key message en- 
cryption and decryption the trapdoor generator will be located in the decryption station, while if the system is 
used as a digital signature scheme the trapdoor generator will be located in the encryption station, and if the 

10 system is used for user identification the trapdoor generator will be located in the trusted authority device. 
Clearly, instead of providing that the trapdoor generator is located in the respective station or device as ex- 
plained above, it is equivalent to provide that the trapdoor generator is located somewhere else and transmits 
the necessary parameters to the respective station or device mentioned above, for storage of these parameters 
therein. 

15 A detailed view of the means provided in a cryptographic system according to the invention is given below. 

It must be understood that the means listed below may be embodied as separate devices or integrated in part 
or completely in one or several devices. In this sense, means are repeatedly listed below, some or all of which 
may merged into single means performing several operations in succession. 

• A first embodiment of the trapdoor generator is comprised of 

20 = means for selecting a multiplicity r of distinct prime numbers p, wherein { is an integer satisfying the 

conditions 1 ^ , ^ r ; 
= means for generating a modulus m that is a product of the prime numbers p t ; 
= means for selecting a pair of integers (a,b) satisfying the conditions 0 ^ a ^ m and 0 ^ b < m ; 
= means for computing, for each prime number pi, a number N(pi) of distinct pairs of integers (x,y) sat- 
25 isf ying the conditions 0 ^ x < p, and 0 s y < p, and further satisfying the condition 

y 2 = x 3 + ax + b (mod p,) 
and for computing from the numbers N(pi) a sum value W(pi) + 1 representative of an order of such 
an elliptic curve which is defined as the set of the pairs of integers (x,y) ; 
= means for computing a least common multiple \i of the sum values A/(pj) + 1 ; 
30 = means for selecting a public multiplier e which is relatively prime to \i ; 

= means for computing a secret multiplier d according to an equation 

d== 1/e (mod u) ; 

and 

= transfer means for transferring data comprising at least the modulus m, pair of integers (a,b) and pub- 
35 He multiplier e to a corresponding storage means provided in the cryptographic system for locally stor- 

ing the data therein. 

• A second embodiment of the trapdoor generator is comprised of 

= means for selecting a multiplicity r of distinct prime numbers pi each having a respectively corre- 
sponding sum value (p, + 1) that satisfies the condition 
40 (p, + 1) sO (mod j) 

wherein , is an integer satisfying the conditions 1 ^ , ^ r and j is an integer whose value is selected 
from 3 or 4 ; 

= means for generating a modulus m that is a product of the prime numbers p, ; 
= means for computing the least common multiple u. of the numbers (pi + 1) ; 
45 = means for selecting a public multiplier e which is relatively prime to \i ; 

= means for computing a secret multiplier d according to an equation 

d s 1/e (mod n) ; 

and 

= transfer means for transferring data comprising at least the modulus m and public multiplier e to a 
so corresponding storage means provided in the cryptographic system for locally storing the data there- 

in. 

• In this second embodiment of the trapdoor generator, preferably the selected value of integer/ is provided 
as a setting in all stations of the cryptographic system, or the data transferred by the transfer means 
also comprise the selected value of integer /. 

55 • in both the first and second embodiment of the trapdoor generator, preferably, the corresponding storage 

means is a public directory which can be interrogated by any station of the cryptographic system for lo- 
cally storing therein the data transferred from the trapdoor generator by the transfer means, or the cor- 
responding storage means is included in a station of the cryptographic system for locally storing therein 
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the data transferred from the trapdoor generator by the transfer means. 

rf the system is used as a digital signature scheme, the encryption station is a signature encryption sta- 
tion which comprises 

= the first embodiment of the trapdoor generator ; 
= either 

= means for selecting an integer x subjected to predetermined conditions provided as a setting 
in all stations of the cryptographic system ; 
= or 

= input means for being inputted an integer x subjected to predetermined conditions provided as a 

setting in all stations of the cryptographic system ; 
= storage means for the inputted integer x ; 
and further 

= a message-to-elliptic-curve converter means for computing from the integer x a pair of integers (s,f) 
such that 

= the integer s satisfies a predetermined relationship to the integer x, which relationship is provided 

as a setting in all stations of the cryptographic system, and 
= the pair of integers (s,f) satisfies the condition 

P = s 3 + a s + b (mod m) 
whereby the integers (s,Q are representative of a point Q(s f Q of the elliptic curve ; 
= an elliptic-curve computation means for performing on the point Q(s,f) an elliptic-curve computation 

P(u,v) = d Q(s,f) 

for computing a point P(u,v) of the elliptic curve whose coordinates are a pair of integers (u,v) rep- 
resentative of an encrypted signature corresponding to the integer x ; and 
= transmission means for transmitting the pair of integers (t/,v) for reception thereof at a signature de- 
cryption station. 

Again if the system is used as a digital signature scheme, and if the encryption station is a signature 
encryption station which, however, does not comprise the trapdoor generator, then 

• the trapdoor generator is constructed according to the first embodiment and further comprises 
means for transferring at least the multiplicity r of distinct prime numbers p,, modulus m, pair of in- 
tegers (a,b) and secret multiplier d to the signature encryption station, and 

• the signature encryption station comprises 

= either 

= input means for being inputted at (east the multiplicity r of distinct prime numbers p,, modulus 

m, pair of integers (a,b) and secret multiplier d ; 
= storage means for at least the inputted multiplicity r of distinct prime numbers p h modulus m t 

pair of integers (a,b) and secret multiplier d ; and 
= means for selecting an integer x subjected to predetermined conditions provided as a setting 

in all stations of the cryptographic system ; 

= or 

= input means for being inputted at least the multiplicity r of distinct prime numbers p h modulus 
m, pair of integers (a,b) and secret multiplier d, and further for being inputted an integer x sub- 
jected to predetermined conditions provided as a setting in all stations of the cryptographic 
system ; 

= storage means for at least the inputted multiplicity rof distinct prime numbers p,, modulus m, 
pair of integers (a,b), secret multiplier d and integer x ; 
and further. 

= a message-to-elliptic-curve converter means for computing from the integer x a pair of integers 
(s,f) such that 

= the integer s satisfies a predetermined relationship to the integer x, which relationship is pro- 
vided as a setting in all stations of the cryptographic system, and 
= the pair of integers (s,r) satisfies the condition 

Ns 3 + as + b (mod m) 
whereby the integers (s,f) are representative of a point Q(s,f) of the elliptic curve ; 
= an elliptic-curve computation means for performing on the point Q(s,f) an elliptic-curve compu- 
tation 

P(i/,v) = dQ(s,r) 

for computing a point P(u,v) of the elliptic curve whose coordinates are a pair of integers (u,v) 
representative of an encrypted signature corresponding to the integer x ; and 
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= transmission means for transmitting the pair of integers (u,v) for reception thereof at a signature 
decryption station. 

Preferably, if the system is used as a digital signature scheme as described last, the message-to- 
elliptic-curve converter means comprises 
= means for computing the integer s from the integer x by assigning to the integer s the smallest 
value which satisfies the condition 

si=x 

and for which the expression 

s 3 + a s + b (mod m) 
evaluates to a quadratic residue (mod m) ; and 
= means for computing the integer t as a square root (mod m) of the quadratic residue (mod m). 
Also preferably, if the system is used as a digital signature scheme as described last, the integer x 
is selected to have a predetermined inherent redundancy, and more preferably the integer x is se- 
lected such that its binary representation has a predetermined number of least significant bits all 
having a same binary value. 

Again, if the system is used as a digital signature scheme as described last, the decryption station 
is a signature decryption station which comprises 

= receiver means for receiving the pair of integers (t/.v) representative of an encrypted signature 

corresponding to the integer x ; 
= either 

= means for interrogating a public directory for being transferred therefrom at least the modulus 

m, the pair of integers (a,b) and the public multiplier e ; 
= storage means for at least the transferred modulus /n, pair of integers (a f b) and public multiplier 

e; 

= or 

= input means for being inputted at least the modulus m, pair of integers (a,b) and public multi- 
plier e transferred from the trapdoor generator by the transfer means ; 

= storage means for at least the transferred modulus m, pair of integers (a,b) and public multiplier 
e; 

and further. 

= an elliptic-curve computation means for performing, on the point P(u,v) of the elliptic curve whose 
coordinates are the pair of integers (u,v) f an elliptic-curve computation 

Q(s,f) = e • P{u,v) 

for computing a point Q(s,f) of the elliptic curve whose coordinates are the pair of integers (s,f) ; 
and 

= an authentication means comprising 

= means for computing a decrypted signature from at least the integer s in consideration of the 

predetermined relationship between the integer s and the integer x, and 
= means for determining whether the decrypted signature satisfies the predetermined condi- 
tions to which integer x is subjected, in which case the decrypted signature is proved authentic. 
Preferably, if the system is used as a digital signature scheme and the decryption station is a sig- 
nature decryption station as described last, the authentication means comprises means for deter- 
mining whether each of the t least significant bits of integer s has the one and the same predeter- 
mined binary value. 

In another series of embodiments, if the system is used as a digital signature scheme, the encryption 
station is a signature encryption station which comprises 

= the second embodiment of the trapdoor generator ; 

= either 

= means for selecting a pair of integers (x,y) satisfying the conditions 0 ^ x < m and 0 ^ 
y < m and further subjected to predetermined conditions provided as a setting in all stations of 
the cryptographic system ; 
= or 

= input means for being inputted a pair of integers (x,y) satisfying the conditions 0ix< 
m and 0 ^ y < m and further subjected to predetermined conditions provided as a setting in all 
stations of the cryptographic system ; 
and further 

= means for computing integer a according to equation 
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*-[(y 2 /x) - x2](mod/n) 
in case the value j = 4 has been selected and according to equation a = 0 in case the value; = 3 
has been selected for the integer; at the trapdoor generator, in which latter case the means for 
computing integer a actually can be dispensed with ; 
= storage means for the inputted pair of integers (x,y) ; 

= an elliptic-curve computation means for performing, on a point P(x,y) of an elliptic curve which 
point is representative of the integers (x,y), an elliptic-curve computation 

Q(w,z) = d-P(x,y) 

using the value of integer a computed in the computing means to compute a point Q{w f z) of the 
elliptic curve whose coordinates are a pair of integers (w,z) representative of an encrypted sig- 
nature corresponding to the pair of integers (x,y) ; and 
= transmission means for transmitting the pair of integers (w,z) for reception thereof at a signature 
decryption station. 

• Again if the system is used as a digital signature scheme using a trapdoor generator constructed 
according to the second embodiment thereof, and if the encryption station is a signature encryption 
station which, however, does not comprise the trapdoor generator, then 

• the encryption station is a signature encryption station, 

• the trapdoor generator further comprises means for transferring at least said multiplicity r of dis- 
tinct prime numbers p,, modulus m and secret multiplier d to the signature encryption station, and 

• the signature encryption station comprises 

= input means for being inputted at least said multiplicity r of distinct prime numbers p,, modulus 

m and secret multiplier d ; 
= storage means for at least said inputted multiplicity r of distinct prime numbers a, modulus m 

and secret multiplier d ; 
- either 

= means for selecting a pair of integers (x,y) satisfying the conditions 0 % x < m and 0 
=s y < m and further subjected to predetermined conditions provided as a setting in all stations 
of the cryptographic system ; 
= or 

= input means for being inputted a pair of integers (x,y) satisfying the conditions 0 ^ x < m 
and 0 ;§ y < m and further subjected to predetermined conditions provided as a setting 
in all stations of the cryptographic system ; 

= storage means for the inputted pair of integers (x.y) ; 
and further 

= means for computing integer a according to equation 
a = [(y 2 /x) - x 2 ] (mod m) 
in case the value /= 4 has been selected and according to equation a = 0 in case the value; 
= 3 has been selected for the integer; at the trapdoor generator, in which latter case the means 
for computing integer a actually can be dispensed with ; 
= an elliptic-curve computation means for performing, on a point P(x,y) of an elliptic curve which 
point is representative of the integers (x,y), an elliptic-curve computation 
Q(w,z) = d • P(x,y) 

using the value of integer a computed in the computing means to compute a point Q(w,z) of 
the elliptic curve whose coordinates are a pair of integers (w,z) representative of an encrypted 
signature corresponding to the pair of integers (x.y) ; and 
= transmission means for transmitting the pair of integers (w,z) for reception thereof at a signa- 
ture decryption station. 

• Preferably, if the system is used as a digital signature scheme and the encryption station is a sig- 
nature encryption station as described last, and if the selected value of integer ; is provided as a set- 
ting in all stations of the cryptographic system, then the decryption station is a signature decryption 
station which comprises 
= either 

= means for interrogating a public directory for being transferred therefrom at least the modulus 

m and public multiplier e ; 
= storage means for at least the transferred modulus m and public multiplier e ; 
= or 

= input means for being inputted at least the modulus m and public multiplier e transferred from 
the trapdoor generator by the transfer means ; 
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= storage means for at least the transferred modulus m and public multiplier e ; 
= receiver means for receiving the pair of integers {w,z) representative of an encrypted message 

corresponding to the pair of integers (x f y) ; 
= means for computing integer a according to equation 

a = [ ( z 2 / w ) - w* ] (mod m) 

in case the value ; = 4 has been selected and according to equation a = 0 in case the value; = 3 

has been selected for the integer j at the trapdoor generator, in which latter case the means for 

computing integer a actually can be dispensed with ; 
= an elliptic-curve computation means for performing, on a point Q(w,z) of the elliptic curve whose 

coordinates are the pair of integers (w f z), an elliptic-curve computation 

P(x,y) = e • Q(w,z) 

using the value of integer a computed in the computing means to compute a point P(x,y) of the 
elliptic curve whose coordinates are the pair of integers (x,y) representative of a decrypted mes- 
sage ; and 

= an authentication means for determining whether the elliptic-curve computation means has suc- 
cessfully computed a pair of integers (x,y) satisfying the predetermined conditions provided as 
a setting in all stations of the cryptographic system. 
Also preferably, if the system is used as a digital signature scheme and the encryption station is a 
signature encryption station as described last, and if the data transferred by the transfer means also 
comprise the selected value of integer ;, then the decryption station is a signature decryption station 
which comprises 
= either 

= means for interrogating a public directory for being transferred therefrom at least the modulus 

m, public multiplier e and integer; ; 
= storage means for at least the transferred modulus m, public multiplier e and integer/ ; 
= or 

= input means for being inputted at least the modulus m, public multiplier e and integer; trans- 
ferred from the trapdoor generator by the transfer means ; 
= storage means for at least the transferred modulus m, public multiplier e and integer; ; 
and further 

= receiver means for receiving the pair of integers (w,z) representative of an encrypted message 

corresponding to the pair of integers (x,y) ; 
= means for computing integer a according to equation 

a = [ ( z 2 / w ) - v£ ] (mod m) 

in case the value ;' = 4 has been selected and according to equation a = 0 in case the value; = 3 

has been selected for the integer ; at the trapdoor generator, in which latter case the means for 

computing integer a actually can be dispensed with ; 
= an elliptic-curve computation means for performing, on a point Q(w t z) of the elliptic curve whose 

coordinates are the pair of integers (w.z), an elliptic-curve computation 

P(*>y) = • 0{w,z) 

using the value of integer a computed in the computing means to compute a point P(x,y) of the 
elliptic curve whose coordinates are the pair of integers (x,y) representative of a decrypted mes- 
sage ; and 

= an authentication means for determining whether the elliptic-curve computation means has suc- 
cessfully computed a pair of integers (x.y) satisfying the predetermined conditions provided as 
a setting in all stations of the cryptographic system. 
• If the system is used for public-key message encryption and decryption, the encryption station is a 
message encryption station which comprises 

= either, if the storage means is a public directory which can be interrogated by any station of the 
cryptographic system for locally storing therein the data transferred from the trapdoor generator 
by the transfer means, and if the selected value of integer; is provided as a setting in ail stations 
of the cryptographic system, 

= means for interrogating a public directory for being transferred therefrom at least the modulus 

m and public multiplier e ; 
= storage means for at least the transferred modulus m and public multiplier e ; 
= or, again if the storage means is a public directory which can be interrogated by any station of 
the cryptographic system for locally storing therein the data transferred from the trapdoor gen- 
erator by the transfer means, but if the data transferred by the transfer means also comprise the 
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selected value of integer /, 

= means for interrogating a public directory for being transferred therefrom at least the modulus 

m, public multiplier e and integer / ; 
= storage means for at least the transferred modulus m and public multiplier e and integer / ; 
= or, if the corresponding storage means is included in a station of the cryptographic system for 
locally storing therein the data transferred from the trapdoor generator by the transfer means, 
and if the selected value of integer / is provided as a setting in all stations of the cryptographic 
system, 

= input means for being inputted at least the modulus m and public multiplier e transferred from 

the trapdoor generator by the transfer means ; 
= storage means for at least the transferred modulus m and public multiplier e ; 
= or, if the corresponding storage means is included in a station of the cryptographic system for 
locally storing therein the data transferred from the trapdoor generator by the transfer means, 
but if the data transferred by the transfer means also comprise the selected value of integer /, 
= input means for being inputted at least the modulus m, public multiplier e and integer j trans- 
ferred from the trapdoor generator by the transfer means ; 
= storage means for at least the transferred modulus m, public multiplier e and integer / ; 
and further 

= message input means for being inputted a pair of integers (x,y) representative of a message, sat- 
isfying the conditions 0 ^ x < m and 0 ^ y < m ; 

= means for computing integer a according to equation 
a == [ ( y 2 / * ) - x 2 ] (mod m) 
in case the value/ = 4 has been selected and according to equation a = 0 in case the value / = 3 
has been selected for the integer/ at the trapdoor generator, in which latter case the means for 
computing integer a actually can be dispensed with ; 

= an elliptic-curve computation means for performing, on a point P(x,y) of an elliptic curve which 
is representative of the integers (x,y), an elliptic-curve computation 

Q(iv,z) = e • P(x,y) 

using the value of integer a computed in the computing means to compute a point Q(w,z) of the 
elliptic curve whose coordinates are a pair of integers (w.z) representative of an encrypted mes- 
sage corresponding to the pair of integers (x,y) ; and 
= transmission means for transmitting the pair of integers (w,z) for reception thereof at a message 
decryption station. 

Preferably, if the system is used for public-key message encryption and decryption and the encryp- 
tion station is a message encryption station as described last, the decryption station is a message 
decryption station which comprises 
= the second embodiment of the trapdoor generator ; 

= receiver means for receiving the pair of integers (w,z) representative of an encrypted message 

corresponding to the pair of integers (x,y) ; 
= means for computing integer a according to equation 

a == [ ( z 2 / w ) - w 2 ] (mod m) 

in case the value / = 4 has been selected and according to equation a = 0 in case the value / = 3 

has been selected for the integer / at the trapdoor generator, in which latter case the means for 

computing integer a actually can be dispensed with ; and 
= an elliptic-curve computation means for performing, on a point Q(w,z) of the elliptic curve whose 

coordinates are the pair of integers (w,z), an elliptic-curve computation 

P(x,y) = dQ(w,z) 

using the value of integer a computed in the computing means to compute a point P(x,y) of the 
elliptic curve whose coordinates are the pair of integers (x,y) representative of a decrypted mes- 
sage. 

Preferably, if the decryption station is a message decryption station as described last, 
• the trapdoor generator further comprises 

■ either, if the selected value of integer/ is provided as a setting in all stations of the crypto- 
graphic system, 

= means for transferring at least the modulus m and secret multiplier d to the message 
decryption station, 

• or, if the data transferred by the transfer means also comprise the selected value of integer 
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= means for transferring at least the modulus m, secret multiplier d and integer; to the 
message decryption station, 
• and the message decryption station comprises 

• either, if the selected value of integer; is provided as a setting in all stations of the crypto- 
graphic system, 

= input means for being inputted at least the modulus m and secret multiplier d ; 
= storage means for at least the inputted modulus m and secret multiplier d ; 
■ or, if the data transferred by the transfer means also comprise the selected value of integer;, 
= input means for being inputted at least the modulus m, secret multiplier d and integer; ; 
= storage means for at least the inputted modulus m, secret multiplier d and integer; ; 
and the message decryption station further comprises 

= receiver means for receiving the pair of integers (w,z) representative of an encrypted message cor- 
responding to the pair of integers (x,y) ; 

= means for computing integer a according to equation 

a = [ ( z 2 / w ) - w 2 ] (mod m) 
in case the value ;' = 4 has been selected and according to equation a = 0 in case the value; = 3 has 
been selected for the integer ; at the trapdoor generator, in which latter case the means for computing 
integer a actually can be dispensed with ; and 

= an elliptic-curve computation means for performing, on a point Q(w,z) of the elliptic curve whose co- 
ordinates are the pair of integers (w,z), an elliptic-curve computation 

P(x,y) = d-Q(w.z) 

using the value of integer a computed in the computing means to compute a point P(x,y) of the elliptic 
curve whose coordinates are the pair of integers (x.y) representative of a decrypted message. 
• If the system is used for user identification, it further comprises 

= a trusted authority device for issuing data allowing identification of a station of the cryptographic sys- 
tem ; and 

= at least one identification device included in a station of the cryptographic system and equipped with 

storage means for the identification allowing data ; 
= at least one verification device included in another station of the cryptographic system and adapted 

to cooperate with the identification device ; 
. the trusted authority device being equipped with the second embodiment of the trapdoor generator 
and further comprising 

= means for selecting an identification data string / uniquely representative of an identity of an appl icant 

for the identif ication device ; 
= means for selecting a function f that assigns to any of the unique strings / a respective unique pair 

of integers (x.y) satisfying the conditions 0 =s x < m and 0 ^ y < m, whereby the integers (x,y) are 

representative of a point P(x,y) = /(/) of an elliptic curve ; 
= an elliptic-curve computation means for performing on the point P(x,y) an elliptic-curve computation 

Q(s,9 = d-P(x,ri 

for computing a point Q(s,Q of the elliptic curve whose coordinates are a pair of integers (s,f) repre- 
sentative of an encrypted string corresponding to the identification data string / ; and 
= transfer means for transferring at least the identification data string /, modulus m, public multiplier 
e, pair of integers (x,y) and pair of integers (s.f) to the storage means of the identification device for 
storage therein. 

• Preferably, if the system is used for user identification as described last, the function f is provided as a 
setting in all stations of the cryptographic system, or the data transferred by the transfer means also 
comprise the function f. 

• If the system is used for user identification as described above, then 

- if the data transferred by the transfer means also comprise the function f, then the trusted authority 
device further comprises transfer means for transferring the function f to 
• either a corresponding storage means provided in the verif ication device for locally storing the 

function fin the verification device ; 
. or a public directory which can be interrogated by any station for locally storing the function f in 

the station ; 
• and the identification device comprises 

= means for computing integer a according to equation 

a = [(y2/x) - x2](modm) 
in case the value ; = 4 has been selected and according to equation a = 0 in case the value; » 3 
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has been selected for the integer/ at the trapdoor generator, in which latter case the means for 

computing integer a actually can be dispensed with ; 
= means for selecting a random integer r satisfying the condition 0 ^ r ^ / wherein / is an integer 

provided as a setting in the identification device and satisfying the condition / < m ; 
= an elliptic-curve computation means for performing, on the point P{u, v) of the elliptic curve whose 

coordinates are the pair of integers {u,v), an elliptic-curve computation 

U{u x ,u y ) = rP(x,y) 

for computing a point U(u x ,u y ) of the elliptic curve whose coordinates are a pair of integers (u^Uy) ; 
= an elliptic-curve computation means for performing, on the point U{u Xf u y ) of the elliptic curve 
whose coordinates are the pair of integers {u x ,u y ), an eliiptic-curve computation 

V(v xt v y ) = e - U{u x ,u y ) 

for computing a point V(v x ,v y ) of the elliptic curve whose coordinates are a pair of integers (v xt v y ) ; 

= transmission means for transmitting the identification data string / and pair of integers (v x ,v y ) for 
reception thereof at the other station including the verification device ; 

= receiver means for receiving an integer k as a challenge from the other station including the ver- 
ification device ; 

= an elliptic-curve computation means for performing, on the point Q(s,f) of the elliptic curve whose 
coordinates are the pair of integers (s,f), an elliptic-curve computation 

W{w x ,w y ) = U(u»u y ) + *-Q(s,f) 
for computing a point W(w x ,w y ) of the elliptic curve whose coordinates are a pair of integers 
(w Xi w y ) ; 

= transmission means for transmitting the pair of integers (w xt w y ) for reception thereof at the other 
station including the verification device ; 
and 

■ if the data transferred by the transfer means also comprise the function f, and the trusted authority 
device comprises transfer means for transferring the function f to a corresponding storage means 
provided in the verification device for locally storing the function fin the verification device, then the 
verification device comprises 
= input means for being inputted at least the function f f rom the trusted authority device by the trans- 
fer means thereof ; 
= storage means for at least the transferred function f, 
• if the data transferred by the transfer means also comprise the function f, and the trusted authority 
device comprises transfer means for transferring the function f to a public directory which can be 
interrogated by any station for locally storing the function fin the station, then the verification device 
comprises 

= means for interrogating a public directory for being transferred therefrom at least the function f ; 
= storage means for at least the transferred function f ; 
and the verification device further comprises 

= means for computing from the identification data string / according to the function f the pair of inte- 
gers (x,y) representative of a point P(x,y) = flj) of the elliptic curve ; 

= means for selecting a random integer k satisfying the condition 0 S < ( e - 1 ) ; 

= transmission means for transmitting the random integer /c for reception thereof at the station including 
the identification device as a challenge ; 

= receiver means for receiving the pair of integers (w xt w y ) as a response to the challenge from the sta- 
tion including the identification device ; 

= an elliptic-curve computation means for performing, on the point W(w xt w y ) of the elliptic curve whose 
coordinates are the pair of integers (w x ,w y ), an elliptic-curve computation 

UU,U) = e • W(w x ,w y ) 

for computing a point T^U^U) of the elliptic curve whose coordinates are a pair of integers (t^U) ; 
= an elliptic-curve computation means for performing, on the point W(w x , w y ) of the elliptic curve whose 
coordinates are the pair of integers (w x ,w y ), an elliptic-curve computation 

T 2 {t 2 j2) = V(v x ,v y ) + *P(x,y) 
for computing a point T 2 {t 2 ^ 2 ) of the elliptic curve whose coordinates are a pair of integers {t 2g ,t 2 ) ; 
and 

= means for comparing the pairs of integers (f v f 1y ) and (t^ty with each other so as to determine wheth- 
er both test conditions U g = and f 1y = t 2f are satisfied by the pairs of integers (UJy) and (t 2 ,t 2 ). 
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• Preferably, if the system Is used for user identif ication as described last the means for selecting a ra 
dom integer k and the transmission means for transmitting the random integer k as a challenge are co 
structed for recurrent operation a plurality of times in the course of an identification session. 
It will be understood that the above described embodiments are but examples from which it is possible 
deviate without departing from the scope of the invention as defined in the appended claims. 



Claims 

1 A cryptographic communications system comprised of at least one communications channel (COM), at 
least one encryption station (A;B), at least one decryption station (B;A), said encryption and decryption 
stations being mutually linked through the communications channel, and further comprised of a trapdoor 
generator (TG), said trapdoor generator being characterized in that it comprises 

= means for selecting a multiplicity r of distinct prime numbers p, wherein , is an integer satisfying the 

conditions is,sr; 
= means for generating a modulus m that is a product of said prime numbers p, ; 
= means for selecting a pair of integers (a,o) satisfying the conditions 0 2§ a < m and 0 ^ b < m ; 
= means for computing, for each prime number p,, a number N{pd of distinct pairs of integers (x,y) sat- 
isfying the conditions 0 x < p, and 0 =i y < p, and further satisfying the condition 

y2sx 3 = ax + b(modpj) 
and for computing from said numbers N(pd a sum value N(pO + 1 representative of an order of such 
an elliptic curve which is defined as the set of said pairs of integers (x,y) ; 
= means for computing a least common multiple u of said sum values A/(Pi) + 1 ; 
= means for selecting a public multiplier e which is relatively prime to n ; 
= means for computing a secret multiplier d according to an equation 

d=Me (mod u) ; 

and 

« transfer means for transferring data comprising at least said modulus m, pair of integers (a,Z>) and 
public multiplier e to a corresponding storage means (PD) provided in the cryptographic system for 
30 locally storing said data therein, 

whereby the cryptographic system is provided with a trapdoor one-way function for a transformation 
whose trapdoor is the secret multiplier d. 

2 A cryptographic communications system comprised of at least one communications channel (COM), at 
35 least one encryption station (A;B), at least one decryption station (B;A), said encryption and decryption 

stations being mutually linked through the communications channel, and further comprised of a trapdoor 
generator (TG), said trapdoor generator being characterized in that it comprises 

= means for selecting a multiplicity r of distinct prime numbers p, each having a respectively corre- 
sponding sum value (a + 1) that satisf ies the condition 
40 (Pi + 1) = 0(mod/) 

wherein , is an integer satisfying the conditions 1 ^ , ^ r and j is an integer whose value is selected 
from 3 or 4 ; 

= means for generating a modulus m that is a product of said prime numbers Pi ; 
= means for computing the least common multiple u of said numbers (pi + 1) ; 
45 = means for selecting a public multiplier e which is relatively prime to u. ; 

= means for computing a secret multiplier d according to an equation 

d= 1 fe (mod u) ; 

= transfer means for transferring data comprising at least said modulus m and public multiplier e to a 
so corresponding storage means (PD) provided in the cryptographic system for locally storing said data 

whereby the cryptographic system is provided with a trapdoor one-way function for a transformation 
whose trapdoor is the secret multiplier d. 

55 3 Cryptographic system according to claim 1 or 2, wherein said corresponding storage means is a public 
directory (PD) which can be interrogated by any station of the cryptographic system for locally storing 
therein said data transferred from said trapdoor generator (TG) by said transfer means. 
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Cryptographic system according to claim 1 or 2, wherein said corresponding storage (ECC) means is in- 
cluded in a station (A;B) of the cryptographic system for locally storing therein said data transferred from 
said trapdoor generator by said transfer means. 

Cryptographic system according to claim 2, wherein said selected value of integer; is provided as a setting 
in all stations of the cryptographic system. 

Cryptographic system according to claim 2, wherein said data transferred by said transfer means also 
comprise said selected value of integer /. 

Cryptographic system according to claim 1 , wherein the encryption station is a signature encryption sta- 
tion (A) which comprises 

= said trapdoor generator (TG) ; 

= means for selecting an integer x subjected to predetermined conditions provided as a setting in all 
stations of the cryptographic system ; 

- a message-to-elliptic-curve converter means (ME) for computing from said integer x a pair of inteqers 
(s,f) such that 

= said integer s satisfies a predetermined relationship to said integer x, which relationship is pro- 
vided as a setting in all stations of the cryptographic system, and 
= said pair of integers (s,f) satisfies the condition 

Pes 3 + as + b (mod m) 
whereby said integers (s,f) are representative of a point Q(s,f) of said elliptic curve ; 
= an elliptic-curve computation means (ECC) for performing on said point Q(s,f) an elliptic-curve com- 
putation 

P(u,v) = </Q(s,r) 

for computing a point P(u,v) of said elliptic curve whose coordinates are a pair of integers (t/,v) rep- 
resentative of an encrypted signature corresponding to said integer x ; and 
= transmission means (TR) for transmitting said pair of integers (u,v) for reception thereof at a signa- 
ture decryption station (B) ; 
whereby the signature encryption station is capable of generating and transmitting to a corresponding 
signature decryption station a signature allowing its authentication at the signature decryption station. 
(Fig.1) 

Cryptographic system according to claim 1 , wherein the encryption station is a signature encryption sta- 
tion (A) which comprises 

= said trapdoor generator (TG) ; 

= input means for being inputted an integer x subjected to predetermined conditions provided as a set- 
ting in ail stations of the cryptographic system ; 
= storage means for said inputted integer x ; 

= a message-to-elliptic-curve converter means (ME) for computing from said integer x a pair of integers 
(s,f) such that 

= said integer s satisfies a predetermined relationship to said integer x, which relationship is pro- 
vided as a setting in all stations of the cryptographic system, and 
= said pair of integers (s.f) satisfies the condition 

Pss 3 + a s + b (mod m) 
whereby said integers (s.Q are representative of a point Q(s,f) of said elliptic curve ; 
= an elliptic-curve computation means (ECC) for performing on said point Q(s,f) an elliptic-curve com- 
putation 

P(u % v) = d • Q(s,r) 

for computing a point P(u,v) of said elliptic curve whose coordinates are a pair of integers (w,v) rep- 
resentative of an encrypted signature corresponding to said integer x ; and 
= transmission means (TR) for transmitting said pair of integers (u, v) for reception thereof at a signa- 
ture decryption station (B) ; 
whereby the signature encryption station is capable of generating and transmitting to a corresponding 
signature decryption station a signature allowing its authentication at the signature decryption station 
(Fig.1) 



Cryptographic system according to claim 1, wherein 
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• the encryption station is a signature encryption station (A), ,«„ IWf „ rn f 
. the trapdoor generator (TG) further comprises means for transferring at least said mult.pl aty r of 

aSSm numbers ft. modulus m. pair of integers (a.b) and seoet mu.tip.ier d to the stature 

encryption station, and 

m Dair of inteqers (a,b) and secret multiplier d ; 
= Sorje means for at least said inputted multiplicity r of distinct prime numbers ft. modulus m. 

pair of integers (a,b) and secret multiplier d ; ■„ 
= means for selecting an integer x subjected to predetermined conditions provided as a setbng ,n 

all stations of the cryptographic system; tatoMr „ a M |, of m_ 

= a message-to-elliptic-curve converter means (ME) for computing from said integer x a pair of in- 

t T^i'SS^ sanies a predetermined relationship to said integer x, which relationship is pro- 
vided as a setting in all stations of the cryptographic system, and 
= said pair of integers (s,f) satisf ies the condition 

Pss 3 + a s + b (mod m) 
wherebv said integers (s.f) are representative of a point Q(s.g of said elliptic curve ; 
= anXSive computation means (ECC) for performing on said point QM an ell.pt.c-curve 
computation 

P(ti,v) = d-Q(s,0 

for computing a point P{u,v) of said elliptic curve whose coordinates are a pair of integers (u,v) 
reoresentative of an encrypted signature corresponding to said integer x ; and 

nature decryption station (3) ; , . 

whereby the signature encryption station is capable of generating and transmitting to a corresponding 
]£!lwUn station a signature allowing its authenticate at the signature decryption station. 

(Fig.1) 

1 0 Cryptographic system according to claim 1 , wherein 

. the encryption station is a signature encryption station (A), 

he trapdoor generator (TG) further comprises means for transferring at least said mult.pl c.ty r of 
dtSSme lumbers ft modulus m, pair of integers (a.b) and secret mu.tip.ier dto the signature 
encryption station, and 

m plH? integers (•!&) and secret multiplier d, and further for being inputted an integer x sub- 
*i J pLetermined condftions provided as a setting in all stations of the cryptographic sys- 

= Socage means for at least said inputted multiplicity r of distinct prime numbers ft. modulus m. 

pair of integers (a,t>), secret multiplier d and integer x ; 
= Tmeiagio-elliptic-curve converter means (ME) for computing from said integer x a pair of In- 

^d^^i 

vided as a setting in all stations of the cryptographic system, and 
= said pair of integers (s.f) satisfies the condition 

pss 3 + a s + b (mod m) 
whereby said integers (s.f) are representative of a point Q(s.f) of said elliptic curve ; 
= rSL-curve .imputation means (ECC) for performing on said point QM an e..,pt,c-curve 
computation 

P(u,v) = d • Q(s.f) 

for computing a point P(u.v) of said elliptic curve whose coordinates are a pair of integers (u.v) 
representative of an encrypted signature corresponding to said interger x ; and 
= transmission means (TR) for transmitting said pair of integers (u.v) for reception thereof at a 

^t^SSS"^^ * * *»™*" andtransm.t«ng to a cording 

SnSura decryption station a signature allowing its authenticate at the signature decryption station. 
(Fig.1) 
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1 1. Cryptographic system according to any one of claims 7 to 1 0, wherein said message-to-elliptic-curve con- 
verter means (ME) comprises 

= means for computing said integer s from said integer x by assigning to said integer s the smallest 
value which satisfies the condition 

Si=X 

and for which the expression 

s 3 + a-s + b (mod m) 
evaluates to a quadratic residue (mod m) ; and 
= means for computing said integer t as a square root (mod m) of said quadratic residue (mod m). 

12. Cryptographic system according to any one of claims 7 to 10, wherein said integer x is selected to have 
a predetermined inherent redundancy. 

13. Cryptographic system according to claim 11, wherein said integer x is selected such that its binary rep- 
resentation has a predetermined number of least significant bits all having a same binary value. 

1 4. Cryptographic system according to any one of claims 7 to 1 0, wherein the decryption station is a signature 
decryption station (B) which comprises 

= receiver means (RC) for receiving said pair of integers (u,v) representative of an encrypted signature 

corresponding to said integer x ; 
= means for interrogating a public directory (PD) for being transferred therefrom at least said modulus 

m, said pair of integers (a,o) and said public multiplier e ; 
= storage means for at least said transferred modulus m, pair of integers (a,b) and public multiplier e ; 
= an elliptic-curve computation means (ECC) for performing, on said point P{u t v) of said elliptic curve 

whose coordinates are said pair of integers (ty,v), an elliptic-curve computation 

Q(s,f) = e • P(u,v) 

for computing a point Q(s,f) of said elliptic curve whose coordinates are said pair of integers (s,f) ; 
and 

= an authentication means comprising 

= means (EM) for computing a decrypted signature from at least said integer s in consideration of 

said predetermined relationship between said integer s and said integer x, and 
= means (VM) for determining whether said decrypted signature satisfies said predetermined con- 
ditions to which integer x is subjected, in which case said decrypted signature is proved authentic ; 
whereby the signature decryption station is capable of decrypting and authenticating an encrypted sig- 
nature received from the corresponding signature encryption station (A). (Fig. 1) 

1 5. Cryptographic system according to any one of claims 7 to 1 0, wherein the decryption station is a signature 
decryption station (B) which comprises 

= receiver means (RC) for receiving said pair of integers (u, v) representative of an encrypted signature 

corresponding to said integer x ; 
= input means for being inputted at least said modulus m, pair of integers (a, b) and public multiplier e 

transferred from said trapdoor generator by said transfer means ; 
= storage means for at least said transferred modulus ro, pair of integers (a,o) and public multiplier e ; 
= an elliptic-curve computation means (ECC) for performing, on said point P(u, v) of said elliptic curve 

whose coordinates are said pair of integers (w,v), an elliptic-curve computation 

Q(s,f) = e • P{u,v) 

for computing a point Q(s,f) of said elliptic curve whose coordinates are said pair of integers (s,r) ; 
and 

= an authentication means comprising 

= means (EM) for computing a decrypted signature from at least said integer s in consideration of 

said predetermined relationship between said integer s and said integer x, and 
= means (VM) for determining whether said decrypted signature satisfies said predetermined con- 
ditions to which integer x is subjected, in which case said decrypted signature is proved authentic ; 
whereby the signature decryption station is capable of decrypting and authenticating an encrypted sig- 
nature received from the corresponding signature encryption station (A). (Fig. 1) 

16. Cryptographic system according to claims 13 and 14, wherein said authentication means comprises 
means for determining whether each of the t least significant bits of integer s has said one and the same 
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predetermined binary value. 
17. Cryptographic system according to claim 2, wherein the encryption station is a signature encryption sta- 
tion which comprises 

: ^S^S^air of integers (x.y) satisfying the conditions 0 * x < m an, 10 * y < m and 
fThi SbSL to predetermined conditions provided as a setting in all stations of the cryptograph- 
ic system ; 

= means for computing integer a according to equation 

as[(y»/x) - x2](modm) 
in case the value; = 4 has been selected and according to equation a = 0 in case the value; - 3 has 

beTnse^ 

is representative of said integers (x,y). an elliptic-curve computation 

Q(w,z) = d • P(x,y) 

using the value of integer a computed In said computing means to compute a point 
eSc curve whose coordinates areapair of integers (w.z) representative of an encrypted s,gnature 
corresponding to said pair of integers (x,y); and «.j on ature 
= transmission means for transmitting said pair of integers (w.z) for reception thereof at a signature 

wher^bTthe^gnSure encryption station is capable of generating and transmitting to a <^P™«"9 
£,gnSure Option station a signature aliowing rts authentication at the signature decryption stabon. 

18. Cryptographic system according to claim 2, wherein the encryption station is a signature encryption sta- 
tion which comprises 

- ^^tar^S*!- a pair of integers (x.y) satisfying the conditions 0 S x < m and o S y 

tographic system ; 
= storage means for said inputted pair of integers (x,y) ; 
= means for computing integer a according to equation 

ae[(>*/x) - x 2 ] (mod m) 

in case the value; = 4 has been selected and according to equation a = 0 in case the value; = 3 has 

bee^se^ 

= ZS^Z£ZSZ££ Performing, on a point P(x,) of an elliptfc curve which is 
representative of said integers (x.y). an elliptic-curve computation 

Q(w,z) = d ■ P(x.y) . . .. 

usina the value of integer a computed in said computing means to compute a point Q(w,z of said 
Sk^T^ ^rdinates are a pair of integers (w.z) representative of an encrypted signature 

corresponding to said pair of integers (x.y) ; and fhMB -f at a .sinnature 

= transmission means for transmitting said pair of integers (w.z) for reception thereof at a signature 

wharebTt'he signSfre encryption station is capable of generating and transmitting to a corresponding 
S^re Teiyption station a signature allowing its authentication at the signature decryption stabon. 

19. Cryptographic system according to claim 2, wherein 

• the encryption station is a signature encryption station. ,* „iu»„,^Hi«tinrt 

• hefrapdoorgenerator^ 

prime numbers p,. modulus m and secret multiplier d to the signature encryption stabon. and 

• *Yn?u7^ 

.^^MM said inputted multiplicity rof distinct prime numbers p,. modulus m and 

- US a pa^ of integers (x.y) satisfying the conditions 0 S x < m and 0 . y < » and 
f^er Objected to predetermined conditions provided as a setting in all stations of the crypto- 
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graphic system ; 
= means for computing integer a according to equation 
as[(y2/x) - x 2 ] (mod m) 
in case the value j = 4 has been selected and according to equation a = 0 in case the value ; = 3 
has been selected for said integer; at the trapdoor generator, in which latter case the means for 
computing integer a actually can be dispensed with ; 
= an elliptic-curve computation means for performing, on a point P(x,y) of an elliptic curve which 
point is representative of said integers (x,y), an elliptic-curve computation 

Q(w,z) = d-P(x,y) 

using the value of integer a computed in said computing means to compute a point Q(w,z) of said 
elliptic curve whose coordinates are a pair of integers (w,z) representative of an encrypted sig- 
nature corresponding to said pair of integers (x,y) ; and 
= transmission means for transmitting said pair of integers ( w,z) for reception thereof at a signature 
decryption station ; 

whereby the signature encryption station is capable of generating and transmitting to a corresponding 
signature decryption station a signature allowing its authentication at the signature decryption station. 

20. Cryptographic system according to claim 2, wherein 

■ the encryption station is a signature encryption station, 

• the trapdoor generator further comprises means for transferring at least said multiplicity r of distinct 
prime numbers p u modulus m and secret multiplier d to the signature encryption station, and 

• the signature encryption station comprises 

= input means for being inputted at least said multiplicity rof distinct prime numbers a, modulus m 
and secret multiplier d, and further for being inputted a pair of integers (x,y) satisfying the con- 
ditions 0 =i x < m and 0 =i y < m and further subjected to predetermined conditions provided as 
a setting in all stations of the cryptographic system ; 

= storage means for at least said inputted multiplicity rof distinct prime numbers p,. modulus m, 
secret multiplier d and pair of integers (x.y) ; 

= means for computing integer a according to equation 
a = [(y 2 /x) - x 2 ] (mod m) 
in case the value/ = 4 has been selected and according to equation a = 0 in case the value ; = 3 
has been selected for said integer; at the trapdoor generator, in which latter case the means for 
computing integer a actually can be dispensed with ; 

= an elliptic-curve computation means for performing, on a point P(x,y) of an elliptic curve which 
is representative of said integers (x,y), an elliptic-curve computation 

Q(w,z) = rfP(x,y) 

using the value of integer a computed in said computing means to compute a point Q{w,z) of said 
elliptic curve whose coordinates are a pair of integers (w,z) representative of an encrypted sig- 
nature corresponding to said pair of integers (x.y) ; and 
= transmission means for transmitting said pair of integers (w,z) for reception thereof at a signature 
decryption station ; 

whereby the signature encryption station is capable of generating and transmitting to a corresponding 
signature decryption station a signature allowing its authentication at the signature decryption station. 

21. Cryptographic system according to claim 5 and any one of claims 1 7 to 20, wherein the decryption station 
is a signature decryption station which comprises 

= means for interrogating a public directory for being transferred therefrom at least said modulus m 
and public multiplier e ; 

= storage means for at least said transferred modulus m and public multiplier e ; 

= receiver means for receiving said pair of integers (w,z) representative of an encrypted message cor- 
responding to said pair of integers (x,y) ; 

= means for computing integer a according to equation 

as[(z2/w) - w2 ] (mod m) 
in case the value; = 4 has been selected and according to equation a = 0 in case the value ; = 3 has 
been selected for said integer; at the trapdoor generator, in which latter case the means for computing 
integer a actually can be dispensed with ; 

= an elliptic-curve computation means for performing, on a point 0(w,z) of said elliptic curve whose 
coordinates are said pair of integers (w,z), an elliptic-curve computation 
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P(x,y) = e • Q(w,z) 

using the value of integer a computed in said computing means to compute a point P{x\y) of said el- 
liptic curve whose coordinates are said pair of integers (x,y) representative of a decrypted message ; 
and 

= an authentication means for determining whether said elliptic-curve computation means has suc- 
cessfully computed a pair of integers (x,y) satisfying the predetermined conditions provided as a set- 
ting in all stations of the cryptographic system ; 
whereby the signature decryption station is capable of decrypting and authenticating an encrypted sig- 
nature received from the corresponding signature encryption station. 

22. Cryptographic system according to claim 5 and any one of claims 17 to 20, wherein the decryption station 
is a signature decryption station which comprises 

= input means for being inputted at least said modulus m and public multiplier e transferred from said 
trapdoor generator by said transfer means ; 

= storage means for at least said transferred modulus m and public multiplier e ; 

= receiver means for receiving said pair of integers (w,z) representative of an encrypted message cor- 
responding to said pair of integers (x,y) ; 

= means for computing integer a according to equation 

a = [ ( z 2 / w ) - w* ] (mod m) 
in case the value / = 4 has been selected and according to equation a = 0 in case the value; = 3 has 
been selected for said integer; atthe trapdoor generator, in which lattercase the means for computing 
integer a actually can be dispensed with ; 

= an elliptic-curve computation means for performing, on a point Q(w,z) of said elliptic curve whose 
coordinates are said pair of integers (w,z), an elliptic-curve computation 

P(x.y) ■ e • Q(w.z) 

using the value of integer a computed in said computing means to compute a point P(x,y) of said el- 
liptic curve whose coordinates are said pair of integers (x,y) representative of a decrypted message ; 
and 

= an authentication means for determining whether said elliptic-curve computation means has suc- 
cessfully computed a pair of integers (x,y) satisfying the predetermined conditions provided as a set- 
ting in all stations of the cryptographic system ; 
whereby the signature decryption station is capable of decrypting and authenticating an encrypted sig- 
nature received from the corresponding signature encryption station. 

23. Cryptographic system according to claim 6 and any one of claims 1 7 to 20, wherein the decryption station 
is a signature decryption station which comprises 

= means for interrogating a public directory for being transferred therefrom at least said modulus m, 
public multiplier e and integer; ; 

= storage means for at least said transferred modulus m, public multiplier e and integer; ; 

= receiver means for receiving said pair of integers (w,z) representative of an encrypted message cor- 
responding to said pair of integers (x.y) ; 

= means for computing integer a according to equation 

a = [(z 2 / w) - w 2 ] (mod m) 
in case the value ; = 4 has been selected and according to equation a = 0 in case the value j = 3 has 
been selected for said integer; at the trapdoor generator, in which lattercase the means for computing 
integer a actually can be dispensed with ; 

= an elliptic-curve computation means for performing, on a point Q(iv,z) of said elliptic curve whose 
coordinates are said pair of integers (w,z), an elliptic-curve computation 

P(x,y) = e ■ Q(w,z) 

using the value of integer a computed in said computing means to compute a point P(x,y) of said el- 
liptic curve whose coordinates are said pair of integers (x,y) representative of a decrypted message ; 
and 

= an authentication means for determining whether said elliptic-curve computation means has suc- 
cessfully computed a pair of integers (x,y) satisfying the predetermined conditions provided as a set- 
ting in all stations of the cryptographic system ; 
whereby the signature decryption station is capable of decrypting and authenticating an encrypted sig- 
nature received from the corresponding signature encryption station. 
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24. Cryptographic system according to claim 6 and any one of claims 17 to 20, wherein the decryption station 
is a signature decryption station which comprises 

= input means for being inputted at least said modulus m, public multiplier e and integer/ transferred 

from said trapdoor generator by said transfer means ; 
= storage means for at least said transferred modulus m, public multiplier e and integer/ ■ 
= receiver means for receiving said pair of integers ( Wf z) representative of an encrypted message cor- 
responding to said pair of integers (x,y) ; 
= means for computing integer a according to equation 

a = [(z 2 / w) . w 2 - ] (mod m) 
in case the value; = 4 has been selected and according to equation a = 0 in case the value ; = 3 has 
been selected for said integer; atthe trapdoor generator, in which lattercase the means forcomputing 
integer a actually can be dispensed with ; 
= an elliptic-curve computation means for performing, on a point Q<w,z) of said elliptic curve whose 
coordinates are said pair of integers (w,z), an elliptic-curve computation 

P(x,y) = e • Q(iv,z) 

using the value of integer a computed in said computing means to compute a point P(x y) of said el- 
liptic curve whose coordinates are said pair of integers (x,y) representative of a decrypted message - 
and * 

= an authentication means for determining whether said elliptic-curve computation means has suc- 
cessfully computed a pair of integers (x,y) satisfying the predetermined conditions provided as a set- 
ting in all stations of the cryptographic system ; 
whereby the signature decryption station is capable of decrypting and authenticating an encrypted sig- 
nature received from the corresponding signature encryption station. 

25. Cryptographic system according to claims 3 and 5, wherein the encryption station is a message encryp- 
tion station (B) which comprises 

= means for interrogating a public directory for being transferred therefrom at least said modulus m 
and public multiplier e ; 

= storage means for at least said transferred modulus m and public multiplier e ; 

= message input means for being inputted a pair of integers (x,y) representative' of a message, satis- 
fying the conditions 0 ^ x < m and 0 ^ y < m ; 

= means for computing integer a according to equation 

a = [(y2/x) - x 2 ] (mod m) 
in case the value; = 4 has been selected and according to equation a = 0 in case the value; = 3 has 
been selected for said integer/at the trapdoor generator, in which lattercase the means for computing 
integer a actually can be dispensed with ; 

= an elliptic-curve computation means (ECC) for performing, on a point P(x,y) of an elliptic curve which 
is representative of said integers (x.y), an elliptic-curve computation 

Q(iv,z) = e • P(x,y) 

using the value of integer a computed in said computing means to compute a point Q(w,z) of said 
elliptic curve whose coordinates are a pair of integers (w,z) representative of an encrypted message 
corresponding to said pair of integers (x,y) ; and 
= transmission means (TR) for transmitting said pair of integers (w,z) for reception thereof at a mes- 
sage decryption station (A) ; 

whereby the message encryption station is capable of encrypting and transmitting a message allowing 

its decryption at a message receiving and decryption station. (Fig. 2) 

26. Cryptographic system according to claims 4 and 5, wherein the encryption station is a message encryp- 
tion station (B) which comprises 

= input means for being inputted at least said modulus m and public multiplier e transferred from said 

trapdoor generator by said transfer means ; 
= storage means for at least said transferred modulus m and public multiplier e ; 
= message input means for being inputted a pair of integers (x,y) representative of a message satis- 
fying the conditions 0^x<mand0^y<m; 
= means for computing integer a according to equation 

as[(y2/ x ) - x2 ] (mod m) 
in case the value; = 4 has been selected and according to equation a = 0 in case the value; = 3 has 
been selected forsaid integer/ at the trapdoor generator, in which lattercase the means for computing 
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integer a actually can be dispensed with ; 
= an elliptic-curve computation means (ECC) for performing, on a point P(x.y) of an elliptic curve which 
is representative of said integers (x t y), an elliptic-curve computation 

Q(w,z) = e • P(x,y) 

using the value of integer a computed in said computing means to compute a point Q(w,z) of said 
elliptic curve whose coordinates are a pair of integers ( w,z) representative of an encrypted message 
corresponding to said pair of integers (x,y) ; and 
- transmission means (TR) for transmitting said pair of integers (w,z) for reception thereof at a mes- 
sage decryption station (A) ; 

whereby the message encryption station is capable of encrypting and transmitting a message allowing 

its decryption at a message receiving and decryption station. (Fig. 2) 

27. Cryptographic system according to claims 3 and 6, wherein the encryption station is a message encryp- 
tion station (B) which comprises 

= means for interrogating a public directory for being transferred therefrom at least said modulus m, 
public multiplier e and integer; ; 

= storage means for at least said transferred modulus m and public multiplier e and integer/ ; 

= message input means for being inputted a pair of integers (x,y) representative of a message, satis- 
fying the conditions 0 ^ x < m and 0 5 y < m ; 

= means for computing integer a according to equation 

as[(y 2 7x) - x 2 ] (mod m) 
in case the value ; = 4 has been selected and according to equation a = 0 in case the value; = 3 has 
been selected for said integer; at the trapdoor generator, in which latter case the means for computing 
integer a actually can be dispensed with ; 

= an elliptic-curve computation means (ECC) for performing, on a point P(x t y) of an elliptic curve which 
is representative of said integers (x,y), an elliptic-curve computation 

Q(w,z) = e • P(x,y) 

using the value of integer a computed in said computing means to compute a point Q(w,z) of said 
elliptic curve whose coordinates are a pair of integers (w,z) representative of an encrypted message 
corresponding to said pair of integers (x,y) ; and 
= transmission means (TR) for transmitting said pair of integers (w,z) for reception thereof at a mes- 
sage decryption station (A) ; 

whereby the message encryption station is capable of encrypting and transmitting a message allowing 

its decryption at a message receiving and decryption station. (Fig. 2) 

28. Cryptographic system according to claims 4 and 6, wherein the encryption station is a message encryp- 
tion station (B) which comprises 

= input means for being inputted at least said modulus m, public multiplier e and integer; transferred 
from said trapdoor generator by said transfer means ; 

= storage means for at least said transferred modulus m, public multiplier e and integer; ; 

= message input means for being inputted a pair of integers (x f y) representative of a message, satis- 
fying the conditions 0 ^ x < m and 0 ^ y < m ; 

= means for computing integer a according to equation 

a = [(y 2 /x) - x 2 ](modm) 
in case the value ;' = 4 has been selected and according to equation a = 0 in case the value; = 3 has 
been selected forsaid integer/atthe trapdoor generator, in which latter case the means for computing 
integer a actually can be dispensed with ; 

= an elliptic-curve computation means (ECC) for performing, on a point P(x,y) of an elliptic curve which 
is representative of said integers (x,y), an elliptic-curve computation 

Q(w,z) = e-P(x,y) 

using the value of integer a computed in said computing means to compute a point Q(w,z) of said 
elliptic curve whose coordinates are a pair of integers (w p z) representative of an encrypted message 
corresponding to said pair of integers (x,y) ; and 
= transmission means (TR) for transmitting said pair of integers (w,z) for reception thereof at a mes- 
sage decryption station (A) ; 

whereby the message encryption station is capable of encrypting and transmitting a message allowing 

its decryption at a message receiving and decryption station. (Fig. 2) 
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29. Cryptographic system according to claim 2 and any one of claims 25 to 28, wherein the decryption station 
is a message decryption station which comprises 

= said trapdoor generator ; 

= receiver means for receiving said pair of integers (w,z) representative of an encrypted message cor- 
5 responding to said pair of integers (x,y) ; 

= means for computing integer a according to equation 

a = [ ( z 2 / w ) - w 2 ] (mod m) 
in case the value / = 4 has been selected and according to equation a = 0 in case the value / = 3 has 
been selected for said integer; at the trapdoor generator, in which latter case the means for computing 
10 integer a actually can be dispensed with ; and 

= an elliptic-curve computation means for performing, on a point Q(w,z) of said elliptic curve whose 
coordinates are said pair of integers (w,z), an elliptic-curve computation 

P(x,y) = d-Q(w,z) 

using the value of integer a computed in said computing means to compute a point P(x,y) of said el- 
15 iiptic curve whose coordinates are said pair of integers (x,y) representative of a decrypted message ; 

whereby the message decryption station is capable of receiving and decrypting a message. 

30. Cryptographic system according to claim 5 and any one of claims 25 to 28, wherein 

- the decryption station is a message decryption station, 

20 • the trapdoor generator further comprises means for transferring at least said modulus m and secret 

multiplier d to the message decryption station, and 

• the message decryption station comprises 

= input means for being inputted at least said modulus m and secret multiplier d ; 
= storage means for at least said inputted modulus m and secret multiplier d ; 
25 = receiver means for receiving said pair of integers (w,z) representative of an encrypted message 

corresponding to said pair of integers (x.y) ; 
= means for computing integer a according to equation 

a = [ ( z 2 / w ) - w 2 ] (mod m) 
in case the value / = 4 has been selected and according to equation a = 0 in case the value j = 3 
30 has been selected for said integer / at the trapdoor generator, in which latter case the means for 

computing integer a actually can be dispensed with ; and 
= an elliptic-curve computation means for performing, on a point Q(w,z) of said elliptic curve whose 
coordinates are said pair of integers (w,z), an elliptic-curve computation 

P(x,y) = d ■ Q(w,z) 

35 using the value of integer a computed in said computing means to compute a point P(x f y) of said 

elliptic curve whose coordinates are said pair of integers (x,y) representative of a decrypted mes- 
sage ; 

whereby the message decryption station is capable of receiving and decrypting a message. 

40 31. Cryptographic system according to claim 6 and any one of claims 25 to 28, wherein 

- the decryption station is a message decryption station, 

• the trapdoor generator further comprises means for transferring at least said modulus m, secret mul- 
tiplier d and integer / to the message decryption station, and 

• the message decryption station comprises 

45 = input means for being inputted at least said modulus m, secret multiplier d and integer / ; 

= storage means for at least said inputted modulus m, secret multiplier d and integer/ ; 

= receiver means for receiving said pair of integers (w,z) representative of an encrypted message 

corresponding to said pair of integers (x,y) ; 
= means for computing integer a according to equation 
so a = [ ( z 2 / w ) - v* 2 ] (mod mi) 

in case the value / = 4 has been selected and according to equation a = 0 in case the value / = 3 
has been selected for said integer/ at the trapdoor generator, in which latter case the means for 
computing integer a actually can be dispensed with ; and 
= an elliptic-curve computation means for performing, on a point Q(w f z) of said elliptic curve whose 
55 coordinates are said pair of integers (w,z), an elliptic-curve computation 

P(x,y) = dQ(w,z) 

using the value of integer a computed in said computing means to compute a point P(x,y) of said 
elliptic curve whose coordinates are said pair of integers (x,y) representative of a decrypted mes- 
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sage ; 

whereby the message decryption station is capable of receiving and decrypting a message. 

32. Cryptographic system according to claim 2, further comprising 

= a trusted authority device (TA) for issuing data allowing identif ication of a station of the cryptograph.c 

system ; and . . 

= at least one identification device (iD) included in a station of the cryptographic system and equipped 

with storage means (SM) for said identif ication allowing data ; 
= at least one verification device (VD) included in another station of the cryptographic system and 

adapted to cooperate with said identification device ; 
• said trusted authority device being equipped with said trapdoor generator and further compnsmg 
= means for selecting an identification data string / uniquely representative of an identity of an applicant 

for said identification device ; 
= means for selecting a function f that assigns to any of said unique strings / a respective unique pair 

of integers (x,y) satisfying the conditions 0^x<mand0^y</n. whereby said integers (x,y) are 

representative of a point P(x,y) = flfl of an elliptic curve ; 
= an elliptic-curve computation means (ECC) for performing on said point P(x,y) an elliptic-curve com- 
putation 

Q(s,f) = d-F(x,y) 

for computing a point Q(s.r) of said elliptic curve whose coordinates are a pair of integers (s,f) rep- 
resentative of an encrypted string corresponding to said identification data string / ; and 
= transfer means (TR) for transferring at least said identification data string /, modulus m, public mul- 
tiplier e, pair of integers (x f y) and pair of integers (s.Q to said storage means (SM) of said identification 
device (iD) for storage therein. (Fig. 3) 

33. Cryptographic system according to claim 32, wherein said function f is provided as a setting in all stations 
of the cryptographic system. 

34. Cryptographic system according to claim 32, wherein said data transferred by said transfer means also 
comprise said function f. 

35. Cryptographic system according to claim 33, wherein 

- said identification device (iD) comprises 

= means for computing integer a according to equation 

a = [ ( y 2 / x ) - x 2 ] (mod m) 
in case the value / = 4 has been selected and according to equation a = 0 in case the value; - 3 
has been selected for said integer/ at the trapdoor generator, in which latter case the means for 
computing integer a actually can be dispensed with ; 
= means (RiG) for selecting a random integer r satisfying the condition 0 ^ r ^ / wherein / is an in- 
teger provided as a setting in the identification device and satisfying the condition /< m ; 
= an elliptic-curve computation means (ECC) for performing, on said point P(u,v) of said ell.pt.c 
curve whose coordinates are said pair of integers (u,v), an elliptic-curve computation 

U{u„u y ) = r- P(x,y) 

for computing a point U(u xt u y ) of said elliptic curve whose coordinates are a pair of integers 

= in" elliptic-curve computation means (ECC) for performing, on said point U{u„u y ) of said elliptic 
curve whose coordinates are said pair of integers (u x .u y ). an elliptic-curve computation 

V(v„v y ) = e • V(u„u y ) 

for computing a point V(v x , v y ) of said elliptic curve whose coordinates are a pair of integers {v x , v y ) ; 
= transmission means (TR) for transmitting said identification data string / and pair of integers 

(v v v ) for reception thereof at said other station including said verification device (VD) ; 
= receiver means (RC) for receiving an integer k as a challenge from said other station including 

said verification device ; w m *** 

= an elliptic-curve computation means (ECC) for performing, on said point Q(s,f) of sad elliptic 

curve whose coordinates are said pair of integers (s,r), an elliptic-curve computation 
W(w„w y ) = U{u x ,u y ) + K-Q(s,9 

for computing a point W(w„w y ) of said elliptic curve whose coordinates are a pair of integers 

31 



BP 0 503 119 B1 



- transmission means (TR) for transmitting said pair of integers (w x ,w y ) for reception thereof at said 
other station including said verification device (VD) ; 
and 

• said verification device (VD) comprises 

= means for computing from said identification data string / according to said function f said pair 
of integers (x,y) representative of a point P(x,y) = /(/) of said elliptic curve ; 

= means (RiG) for selecting a random integer k satisfying the condition 0 ^ k m { e - 1) ; 

= transmission means (TR) for transmitting said random integer k for reception thereof at said sta- 
tion including said identification device as a challenge ; 

= receiver means (RC) for receiving said pair of integers (w Xf w y ) as a response to said challenge 
from said station including said identification challenge device (iD) ; 

= an elliptic-curve computation means (ECC) for performing, on said point W(w x ,w y ) of said elliptic 
curve whose coordinates are said pair of integers (w x , w y ), an elliptic-curve computation 
Ht^U) = e • W(w x ,w y ) 

for computing a point T^t^U) of said elliptic curve whose coordinates are a pair of integers 

(*iA>: 

= an elliptic-curve computation means (ECC) for performing, on said point W{w x ,w y ) of said elliptic 
curve whose coordinates are said pair of integers (w xt w y ), an elliptic-curve computation 

for computing a point 7" 2 (/ 2jr ,y of said elliptic curve whose coordinates are a pair of integers 
(h/i) ; and 

= means (CMP) for comparing said pairs of integers and (t^tz) with each other so as to de- 
termine whether both test conditions f 1y = and U y = are satisfied by said pairs of integers (UJi) 
and (tzjtz) ; 

whereby the verification device is capable of determining whetheran identification device is genuine. (Fig. 

36. Cryptographic system according to claim 34, wherein 

• said trusted authority device further comprises transfer means for transferring said function f to a 
corresponding storage means provided in said verification device for locally storing said function f 
in said verification device ; 

• said identification device comprises 

= means for computing integer a according to equation 
a = [ ( y 2 / x) - x 2 ] (mod m) 
in case the value/ = 4 has been selected and according to equation a = 0 in case the value j = 3 
has been selected for said integer/ at the trapdoor generator, in which latter case the means for 
computing integer a actually can be dispensed with ; 
= means for selecting a random integer r satisfying the condition 0 ^ r ^ m ; 
= an elliptic-curve computation means for performing, on said point P(u,v) of said elliptic curve 
whose coordinates are said pair of integers (u,v), an elliptic-curve computation 

U{u x ,u y ) = r-P(x,y) 

for computing a point U(u x ,u y ) of said elliptic curve whose coordinates are a pair of integers 
(u x ,u y ) ; 

= an elliptic-curve computation means for performing, on said point U(u x ,u y ) of said elliptic curve 
whose coordinates are said pair of integers (u x ,u y ), an elliptic-curve computation 

V(v x .v y ) = e • U(u x ,u y ) 

for computing a point V(v x ,v y ) of said elliptic curve whose coordinates are a pair of integers {v xt v y ) ; 
= transmission means for transmitting said identification data string / and pair of integers (v xt v y ) 

for reception thereof at said other station including said verification device ; 
= receiver means for receiving an integer frasa challenge from said other station including said 

verification device ; 

= an elliptic-curve computation means for performing, on said point Q(s,f) of said elliptic curve 
whose coordinates are said pair of integers (s f r), an elliptic-curve computation 

W{WxWy) = U(u x ,u y ) + k-Q(s,f) 
for computing a point W{w x ,w y ) of said elliptic curve whose coordinates are a pair of integers 
(w x ,w y ) ; 
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= transmission means for transmitting said pair of integers {w„ w y ) for reception thereof at said other 

station including said verification device ; 
and 

. said verification device comprises 

= input means for being inputted at least said function f f rom said trusted authority device by said 

transfer means thereof ; 
= storage means for at least said transferred function f ; 

= means for computing from said identification data string / according to said function f said pair 

of integers (x,y) representative of a point P(x,y) = /(/) of said elliptic curve ; 
= means for selecting a random integer k satisfying the condition 0 ^ k ^ ( e - 1 ) ; 
= transmission means for transmitting said random integer k for reception thereof at said station 

including said identification device as a challenge ; 
= receiver means for receiving said pair of integers (w^wy) as a response to said challenge from 

said station including said identification device ; 
= an elliptic-curve computation means for performing, on said point W[w„w y ) of said elliptic curve 

whose coordinates are said pair of integers {w x ,w y ), an elliptic-curve computation 
TiftA) = e • Ww x ,w y ) 

for computing a point T^U) of said elliptic curve whose coordinates are a pair of integers 

= an elliptic-curve computation means for performing, on said point W(w„w y ) of said elliptic curve 
whose coordinates are said pair of integers {w x , w y ) t an elliptic-curve computation 

for computing a point TJf^jh) of said elliptic curve whose coordinates are a pair of integers 

= means for comparing said pairs of integers (t^U) and (f^ty with each other so as to determine 
whether both test conditions U x = and U f = are satisfied by said pairs of integers fajh) and 

whereby the verification device is capable of determining whether an identification device is genuine. 

Cryptographic system according to claim 34, wherein 

. said trusted authority device further comprises transfer means for transferring said function f to a 
public directory which can be interrogated by any station for locally storing said function f in said sta- 
tion ; 

. said identification device comprises 

= means for computing integer a according to equation 

a = [ ( y 2 / x ) - x 2 ] (mod m) 
in case the value J = 4 has been selected and according to equation a = 0 in case the value / = 3 
has been selected for said integer / at the trapdoor generator, in which latter case the means for 
computing integer a actually can be dispensed with ; 
= means for selecting a random integer r satisfying the condition 0 =s r ^ m ; 
= an elliptic-curve computation means for performing, on said point P(u,v) of said elliptic curve 
whose coordinates are said pair of integers (u.v), an elliptic-curve computation 

U(u x ,u y ) = rF\x,y) 

for computing a point U(u„u y ) of said elliptic curve whose coordinates are a pair of integers 
{u X9 u y ) ; 

= an elliptic-curve computation means for performing, on said point U{u xt u y ) of said elliptic curve 
whose coordinates are said pair of integers (u x ,u y ), an elliptic-curve computation 

V(v xt v y ) = e • U(u xt u y ) 

for computing a point V(v x , vy) of said elliptic curve whose coordinates are a pair of integers (v x , v y ) ; 
= transmission means for transmitting said identification data string / and pair of integers (v xi v y ) 

for reception thereof at said other station including said verification device ; 
= receiver means for receiving an integer k as a challenge from said other station including said 

verification device ; 

= an elliptic-curve computation means for performing, on said point Q(s,f) of said elliptic curve 
whose coordinates are said pair of integers (s,r), an elliptic-curve computation 
W[ivx,w y ) = U(u»u y ) + k • O(s,0 
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for computing a point W(w x ,w y ) of said elliptic curve whose coordinates are a pair of integers 
{w x ,w y ) ; 

= transmission means for transmitting said pair of integers (w*. w y ) for reception thereof at said other 
station including said verification device ; 
and 

• said verification device comprises 

= means for interrogating a public directory for being transferred therefrom at least said function 

= storage means for at least said transferred function f ; 

= means for computing from said identification data string / according to said function f said pair 

of integers (x,y) representative of a point P{x,y) = f[I) of said elliptic curve ; 
= means for selecting a random integer k satisfying the condition 0 S k £ ( e - 1 ) ; 
= transmission means for transmitting said random integer k for reception thereof at said station 

including said identification device as a challenge ; 
= receiver means for receiving said pair of integers {w x ,w y ) as a response to said challenge from 

said station including said identification device ; 
= an elliptic-curve computation means for performing, on said point W{w x ,w y ) of said elliptic curve 

whose coordinates are said pair of integers {w„ w y ), an elliptic-curve computation 

for computing a point T^U) of said elliptic curve whose coordinates are a pair of integers 

(Mi; » 

= an elliptic-curve computation means for performing, on said point W(w Xf w y ) of said elliptic curve 
whose coordinates are said pair of integers (w x , wy), an elliptic-curve computation 

T 2 {t 2 ,t 2 ) = V(v x% v y ) + k-Pixtf 
for computing a point ^ft^y of said elliptic curve whose coordinates are a pair of integers 
(M2>) ' and 

= means for comparing said pairs of integers (f v fn,) and (f^y with each other so as to determine 
whether both test conditions t % = and f 1y = t 2y are satisfied by said pairs of integers ft.fj and 

whereby the verification device is capable of determining whether an identification device is genuine. 

38. Cryptographic system according to any one of claims 35 to 37, wherein said means for selecting a random 
integer k and said transmission means for transmitting said random integer kas a challenge are construct- 
ed for recurrent operation a plurality of times in the course of an identification session. 



Patentanspruche 

1. Kryptographisches Obertragungssystem mit mindestens einem Ubertragungskanal (COM), mindestens 
einer Chiffrierstation (A;B), mindestens einerDechiffrierstation (B A), wobei diese Chiffrier- bzw. Dechif- 
frierstationen uberden Ubertragungskanal miteinanderverbunden sind, und ausserdem mit einem Falltur- 
Generator (TG), wobei dieser Falltur-Generator dadurch gekennzeichnet ist, dass er umfasst : 

= Mittel zum Auswahlen einer Mehrzahl r von verschiedenen Primzahlen p,, wobei , eine ganze Zahl 

ist, welche die Bedingungen 1 ^ , ^ r erf u lit ; 
= Mittel zum Generieren eines Moduls m, welcher das Produkt der genannten Primzahlen p, ist ; 
= Mittel zum Auswahlen eines Paars von ganzen Zahlen (a.b), welche die Bedingungen 0 ^ a < m and 
0^b<m erf ullen ; 

= Mittel zum Berechnen, f Or jede Primzahl pj, einer Zahl A/(pj) von verschiedenen Paaren von ganzen 
Zahlen (x.y), welche die Bedingungen 0 x < p { and 0 ^ y < p, und ausserdem die Bedingung 

y 2 = x 3 + ax + b (mod Pi) 
erfullen, und zum Berechnen eines Summenwertes N(p,) + 1 aus diesen Zahlen A/(p,) t welcher Sum- 
menwert eine Ordnungszahl einer solchen elliptischen Kurve darstellt, die als die Menge dieser ge- 
nannten Paare von ganzen Zahlen (x,y) def iniert ist ; 

= Mittel zum Berechnen des Weinsten gemeinsamen Vielfachen u der genannten Summenwerte A/(p,) 
^ 1 i 

= Mittel zum Auswahlen eines offentlichen Multiplikators e, welcher zu \i teilerfremd ist ; 
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= Mrttel zum Berechnen eines geheimen Multiplikators d entsprechend einer Gleichung 

d s 1/e (mod p) ; 

und 

= Ubertragungsmittel zum Obertragen von zumindest den genannten Modu! m, das genannte Paar von 
ganzen Zahlen (a,b) und den genannten offentlichen Multiplikator e umfassenden Daten zu einem 
entsprechenden Speichermittei (PD), das im kryptographischen System vorgesehen ist, urn iokal 
darin die genannten Daten zu speichern, 

so dass das kryptographische System mit einer Falltur-Einweg-Funktion fur eine Transformation, deren 

Falltur der geheime Multiplikators d ist, versehen ist 

Kryptographisches Obertragungssystem mit mindestens einem Obertragungskanal (COM), mindestens 
einer Chiff rierstation (A;B), mindestens einer Dechiff rierstation (B;A), wobei diese Chiff rier- bzw. Dechif- 
frierstationen uberden Obertragungskanal miteinanderverbunden sind, und ausserdem mit einem Falltur- 
Generator (TG), wobei dieser Falltur-Generator dadurch gekennzeichnet ist, dass er umfasst : 

= Mittel zum Auswahlen einer Mehrzahl r von verschiedenen Primzahlen p|, von denen jede einen je- 
weils entsprechenden Summenwert (a + 1) aufweist, der die Bedingung 

(p, + 1) s (mody) 

erf Gilt, wobei f eine ganze Zahl ist, welche die Bedingungen 1 £|£r erf Gift, und j eine ganze Zahl 

ist, deren Wert aus 3 oder 4 ausgewahlt ist ; 
= Mittel zum Generieren eines Moduls m, welcher das Produkt der genannten Primzahlen Pi ist; 
= Mittel zum Berechnen des kleinsten gemeinsamen Vlelfachen ^ der genannten Zahlen (p, + 1); 
= Mittel zum Auswahlen eines offentlichen Multiplikators e, welcher zu u. teilerfremd ist ; 
= Mittel zum Berechnen eines geheimen Multiplikators d entsprechend einer Gleichung 

d= 1/e (mod u) ; 

und 

= Ubertragungsmittel zum Obertragen von zumindest den genannten Modu! m und den genannten of- 
fentlichen Multiplikator e umfassenden Daten zu einem entsprechenden Speichermittei (PD), das 
im kryptographischen System vorgesehen ist, um Iokal darin die genannten Daten zu speichern, 

so dass das kryptographische System mit einer Falltur-Einweg-Funktion fur eine Transformation, deren 

Falltur der geheime Multiplikators d ist, versehen ist 

Kryptographisches System nach Anspruch 1 oder 2, bei welchem das genannte entsprechende Speicher- 
mittei ein offentliches Verzeichnis (PD) ist, das von einer beliebigen Station des kryptographischen Sy- 
stems abf ragbar ist, um Iokal darin die genannten, aus dem genannten Falltur-Generator (TG) durch die 
genannten Ubertragungsmittel ubertragenen Daten zu speichern. 

Kryptographisches System nach Anspruch 1 oder 2, bei welchem das genannte entsprechende Speicher- 
mittei (ECC) in einer Station (A;B) des kryptographischen Systems einbegriffen ist, um Iokal darin die ge- 
nannten, aus dem genannten Falltur-Generator durch die genannten Ubertragungsmittel ubertragenen 
Daten zu speichern. 

Kryptographisches System nach Anspruch 2, bei welchem der genannte ausgewahlte Wert der ganzen 
Zahl j ais Voreinstellung in alien Stationen des kryptographischen Systems vorgesehen ist 

Kryptographisches System nach Anspruch 2, bei welchem die genannten, durch die genannten Obertra- 
gungsmittel ubertragenen Daten auch den genannten ausgewaWten Wert der ganzen Zahl j umfassen. 

Kryptographisches System nach Anspruch 1, bei welchem die Chiff rierstation eine Unterschriften-Chif- 
f rierstation (A) ist, welche umfasst : 

= den genannten Falltur-Generator (TG) ; 

= Mittel zum Auswahlen einer ganzen Zahl x, welche vorbestimmte Bedingungen erf Gilt, die in alien 

Stationen des kryptographischen Systems als Voreinstellung vorgesehen sind ; 
= Mittel (ME) zur Kon version Mitteilung-zu-elliptischer-Kurve zum Berechnen eines Paars von ganzen 
Zahlen (s,f) aus der genannten ganzen Zahl x, derart, dass 
= die genannte ganze Zahl s in einer vorbesttmmten Beziehung zur genannten ganzen Zahl x stent, 
wobei diese Beziehung als Voreinstellung in alien Stationen des kryptographischen Systems vor- 
gesehen ist, und 
= das genannte Paar von ganzen Zahlen (s.f) die Bedingung 
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f* = $3 + a . s + b(modm) 
erfullt, wobei die genannten ganzen Zahlen (s,f) einen Punkt Q(s,f) der genannten elliptischen 
Kurve darstellen ; 

= Mittel (ECC) zum Berechnen von elliptischen Kurven zur Durchf uhrung einer Elliptische-Kurven-Be- 
rechnung 

P(u,v) = d-Q(s,f) 

am genannten Punkt Q(s,f) zur Berechnung eines Punktes P(u,v) der genannten elliptischen Kurve, 
dessen Koordinaten ein Paar von ganzen Zahlen (u,v) sind, welche eine der genannten ganzen Zahl 
x entsprechende chiff rierte Unterschrif t darstellen ; und 
= Ubertragungsmittel (TR) zum Obertragen des genannten Paars von ganzen Zahlen (u,v) zum 
Zwecke deren Empfangs an einer Unterschriften-Dechiff rierstation (B) ; so dass die Unterschrif ten- 
Chiffrierstation fahig ist, eine Unterschrift zu generieren und einer entsprechenden Unterschriften- 
Dechiff rierstation zu ubertragen, welche Unterschrift ihre Authentisierung an der Unterschriften-De- 
chiffrierstation ermoglicht. (Fig. 1) 

Kryptographisches System nach Anspruch 1, bei welchem die Chiff rierstation eine Unterschrif ten-Ch if - 
f rierstation (A) ist, welche umfasst : 

= den genannten Falltur-Generator (TG) ; 

- Eingabemittel zur Aufnahme der Eingabe einer ganzen Zahl x, welche vorbestimmte Bedingungen 
erfullt, die in alien Stationen des kryptographischen Systems als Voreinstellung vorgesehen sind ; 

= Speichermittel fur die genannte eingegebene ganze Zahl x ; 

= Mittel (ME) zur Konversion Mitteilung-zu-elliptischer-Kurve zum Berechnen eines Paars von ganzen 
Zahlen (s,f) aus der genannten ganzen Zahl x, derart, dass 
= die genannte ganze Zahl s in einer vorbestimmten Beziehung zur genannten ganzen Zahl xsteht, 
wobei diese Beziehung als Voreinstellung in alien Stationen des kryptographischen Systems vor- 
gesehen ist, und 
= das genannte Paar von ganzen Zahlen (s,f) die Bedingung 

P s s 3 + as + b (mod m) 
erfullt, wobei die genannten ganzen Zahlen (s,f) einen Punkt Q(s,f) der genannten elliptischen 
Kurve darstellen ; 

= Mittel (ECC) zum Berechnen von elliptischen Kurven zur Durchf uhrung einer Elliptische-Kurven-Be- 
rechnung 

P(i/,v) = o--Q(s.f) 

am genannten Punkt Q(s,Q zur Berechnung eines Punktes P{u, v) der genannten elliptischen Kurve, 

dessen Koordinaten ein Paar von ganzen Zahlen (u,v) sind, welche eine der genannten ganzen Zahl 

x entsprechende chiff rierte Unterschrift darstellen ; und 
= Ubertragungsmittel (TR) zum Obertragen des genannten Paars von ganzen Zahlen (u,v) zum 

Zwecke deren Empfangs an einer Unterschriften-Dech iff rierstation (B) ; 
so dass die Unterschrif ten-Ch iff rierstation fahig ist, eine Unterschrift zu generieren und einer entspre- 
chenden Unterschrif ten-Dechiff rierstation zu ubertragen, welche Unterschrift ihre Authentisierung an der 
Unterschriften-Dech iff rierstation ermoglicht (Fig. 1) 

Kryptographisches System nach Anspruch 1, bei welchem 

• die Chiff rierstation eine Unterschriften-Chiff rierstation (A) ist, 

• der genannte Falltur-Generator (TG) zudem Mittel zum Ubertragen zumindest der genannten Mehr- 
zahl rvon verschiedenen Primzahlen p,, des genannten Moduls /n, des genannten Paars von ganzen 
Zahlen (a, b) und des genannten geheimen Multiplikators d zur Unterschriften-Chiff rierstation um- 
fasst, und 

- die Unterschriften-Chiff rierstation umfasst : 

= Eingabemittel zur Aufnahme der Eingabe zumindest der genannten Mehrzahl rvon verschiede- 
nen Primzahlen p|» des genannten Moduls m, des genannten Paars von ganzen Zahlen (a,b) und 
des genannten geheimen Multiplikators d ; 

= Speichermittel zumindest fur die genannte eingegebene Mehrzahl rvon verschiedenen Primzah- 
len a, den genannten eingegebenen Modul m, das genannte eingegebene Paar von ganzen Zah- 
len (a,b) und den genannten eingegebenen geheimen Multiplikator d ; 

= Mittel zum Auswahlen einer ganzen Zahl x, welche vorbestimmte Bedingungen erfullt, die in alien 
Stationen des kryptographischen Systems als Voreinstellung vorgesehen sind ; 

= Mittel (ME) zur Konversion Mitteilung-zu-elliptischer-Kurve zum Berechnen eines Paars von gan- 
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zen Zahlen (s,f) aus der genannten ganzen Zah! x, derart, dass 

= die genannte ganze Zah! s in einer vorbestimmten Beziehung zur genannten ganzen Zahl x 
stent, wobei diese Beziehung als Voreinstellung in alien Stationen des kryptographischen Sy- 
stems vorgesehen ist, und 

= das genannte Paar von ganzen Zahlen (s,f) die Bedingung 
f 2 = s 3 + a s + b (mod m) 
erf ullt, wobei die genannten ganzen Zahlen (s,f) einen Punkt Q(s,f) der genannten elliptischen 
Kurve darstellen ; 

= Mittel (ECC) zum Berechnen von elliptischen Kurven zur Durchf Ohrung einer Elliptische-Kurven- 
Berechnung 

Piurf =d-Q(s f f) 

am genannten Punkt Q(s,f) zur Berechnung eines Punktes P(u, v) der genannten elliptischen Kur- 
ve, dessen Koordinaten ein Paar von ganzen Zahlen (u,v) sind, welche eine der genannten gan- 
zen Zahl x entsprechende chiff rierte Unterschrif t darstellen ; und 
= Obertragungsmittel (TR) zum Ubertragen des genannten Paars von ganzen Zahlen (u,v) zum 
Zwecke deren Empfangs an einer Unterschriften-Dechiffrierstation (B) ; 
so dass die Unterschrif ten-Chiffrierstation fahig ist, eine Unterschrift zu generieren und einer entspre- 
chenden Unterschriften-Dechiffrierstation zu ubertragen, welche Unterschrift ihre Authentisierung an der 
Unterschrif ten-Dechiffrierstatton ermoglicht (Fig. 1) 

10. Kryptographisches System nach Anspruch 1 , bei welchem 

. die Chiffrierstation eine Unterschrif ten-Chiff rierstation (A) ist, 

. der genannte Falltur-Generator (TG) zudem Mittel zum Ubertragen zumindest der genannten Mehr- 
zahl rvon verschiedenen Primzahlen a, des genannten Moduls /n, des genannten Paars von ganzen 
Zahlen (a,/>) und des genannten geheimen Multiplikators d zur Unterschriften-Chiffrierstation um- 
fasst, und 

- die Unterschriften-Chiffrierstation umfasst : 

* Eingabemittel zur Aufhahme der Eingabe zumindest der genannten Mehrzahl rvon verschiede- 
nen Primzahlen p,, des genannten Moduls m, des genannten Paars von ganzen Zahlen (a,b) und 
des genannten geheimen Multiplikators d, und zudem zur Aufnahme der Eingabe einer ganzen 
Zahl x, welche vorbestimmte Bedingungen erfullt, die in alien Stationen des kryptographischen 
Systems als Voreinstellung vorgesehen sind ; 
= Speichermittel zumindestf Or die genannte eingegebene Mehrzahl rvon verschiedenen Primzah- 
len p|, den genannten eingegebenen Modul m, das genannte eingegebene Paar von ganzen Zah- 
len (a,6), den genannten eingegebenen geheimen Multiplikatord und die genannte eingegebene 
ganze Zahl x ; 

= Mittel (ME) zur Konversion Mitteilung-zu-elliptischer-Kurve zum Berechnen eines Paars von gan- 
zen Zahlen (s,f) aus der genannten ganzen Zahl x, derart, dass 

= die genannte ganze Zah! s in einer vorbestimmten Beziehung zur genannten ganzen Zahl x 
steht, wobei diese Beziehung als Voreinstellung in alien Stationen des kryptographischen Sy- 
stems vorgesehen ist, und 

= das genannte Paar von ganzen Zahlen (s,f) die Bedingung 
Pss 3 + as + b (mod m) 

= erfullt, wobei die genannten ganzen Zahlen (s,f) einen Punkt Q(s,f) der genannten elliptischen 
Kurve darstellen ; 

= Mittel (ECC) zum Berechnen von elliptischen Kurven zur Durchf uhrung einer EHiptische-Kurven- 
Berechnung 

P(u,v) = d • Q(s,f) 

am genannten Punkt Q(s,r) zur Berechnung eines Punktes P{u, v) der genannten elliptischen Kur- 
ve, dessen Koordinaten ein Paar von ganzen Zahlen (u,v) sind, welche eine der genannten gan- 
zen Zahl x entsprechende chiff rierte Unterschrift darstellen ; und 
= Obertragungsmittel (TR) zum Ubertragen des genannten Paars von ganzen Zahlen (u,v) zum 
Zwecke deren Empfangs an einer Unterschrif ten-Dech iff rierstation (B) ; 
so dass die Unterschrif ten-Chiff rierstation f§hig ist, eine Unterschrift zu generieren und einer entspre- 
chenden Unterschrif ten- Dechiff rierstation zu ubertragen, welche Unterschrift ihre Authentisierung an der 
Unterschrif ten-Dechiff rierstation ermoglicht (Fig. 1) 

11. Kryptographisches System nach einem der Anspruche 7 bis 10, bei welchem die genannten Mittel (ME) 
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zur Konversion Mitteilung-zu-elliptischer-Kurve umfassen : 

= Mittel zum Berechnen der genannten ganzen Zahl s aus der genannten ganzen Zahl x, indem der 
genannten ganzen Zahl s der kleinste Wert zugeordnet wird, welcher die Bedingung 

s^x 

erf Gilt und fur welchen die Ausrechnung des Ausdrucks 

s 3 + a s + b (mod m) 
einen quadratischen Rest (mod m) ergibt ; und 
= Mittel zum Berechnen der genannten ganzen Zahl / als Quadratwurzel (mod m) des genannten qua- 
dratischen Rests (mod m). 

12. Kryptographisches System nach einem der Anspruche 7 bis 10, bei welchem die genannte ganze Zahl x 
so ausgewahlt wird, dass sie eine vorbestimmte inharente Redundanz auf weist. 

13. Kryptographisches System nach Anspruch 11, bei welchem die genannte ganze Zahl x so ausgewahlt 
wird, dass ihre binare Darstellung eine vorbestimmte Anzahl von niedrigstwertigen Bits aufweist, die alien 
den gleichen binaren Wert aufweisen. 

14. Kryptographisches System nach einem der Anspruche 7 bis 10, bei welchem die Dechiffrierstation eine 
Unterschriften-Dechiff rierstation (B) ist, welche umfasst : 

= Empfangermittel (RC) zum Empfangen des genannten Paars von ganzen Zahlen (i/,v), welche eine 

der genannten ganzen Zahl x entsprechende chiff rierte Unterschrift darstellen ; 
= Mittel zum Abfragen eines offentlichen Verzeichnisses (PD), urn daraus zumindest den genannten 

Modul m, das genannte Paar von ganzen Zahlen (a,6) und den genannten offentlichen Multiplikator 

e ubertragen zu erhalten ; 
= Speichermittel zumindest fur den genannten ubertragenen Modul m, das genannte ubertragene Paar 

von ganzen Zahlen (a,i>) und den genannten ubertragenen offentlichen Multiplikator e ; 
= Mittel (ECC) zum Berechnen von elliptischen Kurven zur Durchfuhrung einer Elliptische-Kurven-Be- 

rechnung 

Q(s,0 = e • P(u,v) 

am genannten Punkt P{u,v) der genannten elliptischen Kurve, dessen Koordinaten das genannte 
Paar von ganzen Zahlen (u,v) sind, zur Berechnung eines Punktes Q(s,f) der genannten elliptischen 
Kurve, dessen Koordinaten das genannte Paar von ganzen Zahlen (s,Q sind ; und 
= ein Authentisierungsmittel, welches umfasst : 

= Mittel (EM) zum Berechnen einer dechiffrierten Unterschrift zumindest aus der genannten gan- 
zen Zahl s unter Berucksichtigung der genannten vorbestimmten Beziehung zwischen der ge- 
nannten ganzen Zahl s und der genannten ganzen Zahl x, und 
= Mittel (VM) zur Feststellung, ob die genannte dechiffrierte Unterschrift die vorbestimmten Be- 
dingungen erf ullt, denen die ganze Zahl x unterstellt ist, in welchem Fall die genannte dechiffrierte 
Unterschrift als authentisch erwiesen gilt ; 
so dass die Unterschriften-Dechiff rierstation fahig ist, eine von der entsprechenden Unterschrif ten-Chif- 
f rierstation (A) empfangene chiff rierte Unterschrift zu dechiffrieren und authentisieren. (Fig. 1) 

15. Kryptographisches System nach einem der Anspruche 7 bis 10, bei welchem die Dechiffrierstation eine 
Unterschriften-Dechiffrierstation (B) ist, welche umfasst : 

« Empfangermittel (RC) zum Empfangen des genannten Paars von ganzen Zahlen (u,v), welche eine 

der genannten ganzen Zahl x entsprechende chiff rierte Unterschrift darstellen ; 
= Eingabemittel zur Aufnahme der Eingabe zumindest des genannten Moduls m, des genannten Paars 

von ganzen Zahlen (a,b) und des genannten offentlichen Multiplikators e, welche ausdem genannten 

Falltur-Generator durch das genannte Ubertragungsmittel ubertragen erhalten wurden ; 
= Mittel zum Abfragen eine offentlichen Verzeichnisses (PD), urn daraus zumindest den genannten 

Modul m, das genannte Paar von ganzen Zahlen (a,o) und den genannten offentlichen Multiplikator 

e ubertragen zu erhalten ; 
= Speichermittel zumindest fur den genannten ubertragenen Modul m, das genannte ubertragene Paar 

von ganzen Zahlen (a,o) und den genannten ubertragenen offentlichen Multiplikator e ; 
= Mittel (ECC) zum Berechnen von elliptischen Kurven zur Durchfuhrung einer Elliptische-Kurven-Be- 

rechnung 

Q(s,r) = e • P(u t v) 

am genannten Punkt P(u,v) der genannten elliptischen Kurve, dessen Koordinaten das genannte 
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Paar von ganzen Zahlen (u.v) sind. zur Berechnung eines Punktes Q(s.O der genannten elliptischen 
Kurve, dessen Koordinaten das genannte Paar von ganzen Zahlen (s,Q sind ; und 
= ein Authentisierungsmittel, welches umfasst : 

= Mittel (EM) zum Berechnen einer dechiff rierten Unterschrift zumindest aus der genannten gan- 
zen Zahl s unter BerGcksichtigung der genannten vorbestimmten Beziehung zwischen der ge- 
nannten ganzen Zahl s und der genannten ganzen Zahl x, und 
= Mittel (VM) zur Feststellung, ob die genannte dechiff rierte Unterschrift die vorbestimmten Be- 
dingungen erf Gilt, denen die ganze Zahl x unterstellt ist, in welchem Fall die genannte dechiff rierte 
Unterschrift als authentisch erwiesen gilt ; 
so dass die Unterschrif ten-Dechiff rierstation fahig ist, eine von der entsprechenden Unterschnf ten-Cn.f- 
frierstation (A) empfangene chiffrierte Unterschrift zu dechiffrieren und authentisieren. (Fig. 1) 

16 Kryptographisches System nach den Anspruchen 13 und 14, bei welchem das genannte Authentisie- 
rungsmittel Mittel zur Feststellung, ob jedes der t niedrigstwertigen Bits der ganzen Zahl s den genannten 
gleichen binaren Wert aufweist, umfasst 

17. Kryptographisches System nach Anspruch 2, bei welchem die Ch iff rierstation eine Unterschriften-Chif- 
f rierstation ist, welche umfasst : 
= den genannten Falltur-Generator ; 

= Mittel zum Auswahlen eines Paars von ganzen Zahlen (x.y), welche die Bedingungen 0 =i x < m and 
0 ^ y < m erfullen und zudem vorbestimmte Bedingungen erfullen, die in alien Stationen des kryp- 
tographischen Systems als Voreinstellung vorgesehen sind ; 

= Mittel zum Berechnen einer ganzen Zahl a entsprechend einer Gleichung 

a = [ ( y 2 / x ) - x 2 ] (mod m) 
in dem Fall, bei dem am Falltur-Generator fur die genannte ganze Zahl j der Wert j = 4 ausgewahlt 
wurde und entsprechend der Gleichung a = 0 in dem Fall, bei dem am Falltur-Generator fur die ge- 
nannte ganze Zahl der Wert; = 3 ausgewahlt wurde, wobei in letzterem Fall die Mittel zum Berechnen 
einer ganzen Zahl a entbehrlich sind ; 

= Mittel zum Berechnen von elliptischen Kurven zur Durchfuhrung einer Elliptische-Kurven-Berecn- 

nung 

Q(w,z) = d • P(x,y) 

an einem Punkt P(x,y) einer elliptischen Kurve, wobei dieser Punkt die genannten ganzen Zahlen 
(x y) darstellt, unter Verwendung des in dem genannten Mittel zum Berechnen berechneten Wertes 
der ganzen Zahl a, urn einen Punkt Q(w,z) derjenigen elliptischen Kurve zu berechnen, deren Koor- 
dinaten ein Paar von ganzen Zahlen (w.z) sind, welche eine dem genannten Paar von ganzen Zahlen 
(xy) entsprechende chiffrierte Unterschrift darstellen ; und 
= Obertragungsmittel zum Ubertragen des genannten Paars von ganzen Zahlen (w,z) zumZwecke de- 
ren Empfangs an einer Unterschriften-Dechiffrierstation 
so dass die Unterschrif ten-Chiff rierstation fahig ist, eine Unterschrift zu generieren und einer entspre- 
chenden Unterschrif ten-Dechiff rierstation zu ubertragen, welche Unterschrift ihre Authenusierung an der 
Unterschrif ten-Dechiff rierstation ermoglicht 

18. Kryptographisches System nach Anspruch 2, bei welchem die Ch iff rierstation eine Unterschriften-Chif- 
frierstation ist, welche umfasst : 

= den genannten Falltur-Generator ; 

= Eingabemittel zur Aufnahme der Eingabe eines Paars von ganzen Zahlen (x,y), welche die Bedin- 
gungen 0^x<mand0^y<m erfullen und zudem vorbestimmte Bedingungen erfullen, die in alien 
Stationen des kryptographischen Systems als Voreinstellung vorgesehen sind ; 

= Speichermittel fur das genannte Paar von ganzen Zahlen (x.y) ; 

= Mittel zum Berechnen einer ganzen Zahl a entsprechend einer Gleichung 

as[(y 2 /x) - x 2 ] (mod m) 
in dem Fall, bei dem am Falltur-Generator fur die genannte ganze Zahl ; der Wert ; = 4 ausgewahlt 
wurde und entsprechend der Gleichung a = 0 in dem Fall, bei dem am Falltur-Generator fur die ge- 
nannte ganze Zahl derWert; = 3 ausgewahlt wurde, wobei in letzterem Fall die Mittel zum Berechnen 
einer ganzen Zahl a entbehrlich sind ; 

= Mittel zum Berechnen von elliptischen Kurven zur Durchfuhrung einer Elliptische-Kurven-Berech- 

nung 

Q(w.z) = d-P(x,y) 
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an einem Punkt P(x,y) einer elliptischen Kurve, welcherdie genannten ganzen Zahlen (x,y) darstellt, 
unter Verwendung des in dem genannten Mittel zum Berechnen berechneten Wertes der ganzen 
Zahl a, urn einen Punkt Q(w,z) derjenigen elliptischen Kurve zu berechnen, deren Koordinaten ein 
Paar von ganzen Zahlen (w,z) sind, welche eine dem genannten Paar von ganzen Zahlen (x y) ent- 
sprechende chiffrierte Unterschrift darstellen ; und 
= Obertragungsmittel zum Obertragen des genannten Paars von ganzen Zahlen (iv,z) zum Zwecke de- 
ren Empfangs an einer Unterschriften-Dechiff rierstation ; 
so dass die Unterschriften-Chiffrierstation fahig ist, eine Unterschrift zu generieren und einer entspre- 
chenden Unterschriften-Dechiffrierstationzu Obertragen, welche Unterschrift ihre Authentisierung an der 
Unterschriften-Dechiffrierstation ermoglicht 

1 9. Kryptographisches System nach Anspruch 2, bet welchem 

• die Chiffrierstation eine Unterschriften-Chiffrierstation ist, 

• der genannte FailtOr-Generator zudem Mittel zum Obertragen zumindest der genannten Mehrzahl r 
von verschiedenen Primzahlen a, des genannten Moduls m und des genannten geheimen Multiple 
kators d zur Unterschriften-Chiff rierstation umfasst, und 

• die Unterschriften-Chiff rierstation umfasst : 

= Eingabemittel zur Aufnahme der Eingabe zumindest der genannten Mehrzahl rvon verschiede- 
nen Primzahlen a, des genannten Moduls m und des genannten geheimen Multipli kators d ; 

= Speichermittel zumindest fur die genannte eingegebene Mehrzahl rvon verschiedenen Primzah- 
len a, den genannten eingegebenen Modul m und den genannten eingegebenen geheimen Mul- 
tiplikatord; 

= Mittel zum Auswahlen eines Paars von ganzen Zahlen (x,y), welche die Bedingungen 0 ^ x < m 
and 0 my < m erfullen und zudem vorbestimmte Bedingungen erf Gllen, die in alien Stationen des 
kryptographischen Systems als Voreinstellung vorgesehen sind ; 

= Mittel zum Berechnen einer ganzen Zahl a entsprechend einer Gleichung 
a = [(y2/x) - x 2 ] (mod m) 
in dem Fall, bei dem am Falltur-Generator fur die genannte ganze Zahl ; der Wert J = 4 ausgewahlt 
wurde, und entsprechend der Gleichung a = 0 in dem Fall, bei dem am Falltur-Generator fur die 
genannte ganze Zahl der Werty = 3 ausgewahlt wurde, wobei in letzterem Fall die Mittel zum Be- 
rechnen einer ganzen Zahl a entbehrlich sind ; 

= Mittel zum Berechnen von elliptischen Kurven zur DurchfOhrung einer Elliptische-Kurven-Be- 
rechnung 

Q{w,z) = tfP(x,y) 

an einem Punkt P(x,y) einer elliptischen Kurve, wobei dieser Punkt die genannten ganzen Zahlen 
(x,y) darstellt, unter Verwendung des in dem genannten Mittel zum Berechnen berechneten Wer- 
tes der ganzen Zahl a, urn einen Punkt Q(w,z) derjenigen elliptischen Kurve zu berechnen, deren 
Koordinaten ein Paar von ganzen Zahlen (w,z) sind, welche eine dem genannten Paar von ganzen 
Zahlen (x,y) entsprechende chiffrierte Unterschrift darstellen ; und 
= Obertragungsmittel zum Obertragen des genannten Paars von ganzen Zahlen (w,z) zum Zwecke 
deren Empfangs an einer Unterschriften-Dechiff rierstation ; 
so dass die Unterschriften-Chiff rierstation f§hig ist, eine Unterschrift zu generieren und einer entspre- 
chenden Unterschriften-Dechiff rierstation zu Obertragen, welche Unterschrift ihre Authentisierung an der 
Unterschriften-Dechiffrierstation ermoglicht 

20. Kryptographisches System nach Anspruch 2, bei welchem 

• die Chiffrierstation eine Unterschriften-Chiff rierstation ist, 

• der genannte Falltur-Generator zudem Mittel zum Obertragen zumindest der genannten Mehrzahl r 
von verschiedenen Primzahlen a. des genannten Moduls m und des genannten geheimen MultipH- 
kators d zur Unterschriften-Chiff rierstation umfasst, und 

• die Unterschriften-Chiffrierstation umfasst : 

= Eingabemittel zur Aufnahme der Eingabe zumindest der genannten Mehrzahl rvon verschiede- 
nen Primzahlen a. des genannten Moduls m und des genannten geheimen Multipli kators d, und 
zudem zur Aufnahme der Eingabe eines Paars von ganzen Zahlen (x,y), welche die Bedingungen 
0^x<mand0^y<n7 erfullen und zudem vorbestimmte Bedingungen erfullen, die in alien 
Stationen des kryptographischen Systems als Voreinstellung vorgesehen sind ; 

= Speichermittel zumindest fur die genannte eingegebene Mehrzahl rvon verschiedenen Primzah- 
len a. den genannten eingegebenen Modul m und den genannten eingegebenen geheimen Mul- 
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tiplikator d ; 

= Mittel zum Auswahlen eines Paars von ganzen Zahlen (x,y), welche die Bedingungen 0 ^ x < m 
and 0 ^y < m erfullen undzudem vorbestimmte Bedingungen erfullen, die in alien Stationen des 
kryptographischen Systems als Voreinstellung vorgesehen sind ; 

= Mittel zum Berechnen einer ganzen Zahl a entsprechend einer Gleichung 
as[(y2/x) - x 2 ] (mod m) 
in dem Fall , bei dem am Falltur-Generator fur die genannte ganze Zahl j der Wert J = 4 ausgewahlt 
wurde, und entsprechend der Gleichung a = 0 in dem Fall, bei dem am Falltur-Generator f Or die 
genannte ganze Zahl der Wert / = 3 ausgewahlt wurde, wobei in letzterem Fall die Mittel zum Be- 
rechnen einer ganzen Zahl a entbehrlich sind ; 

= Mittel zum Berechnen von elliptischen Kurven zur Durchfuhrung einer Elliptische-Kurven-Be- 
rechnung 

Q(w.z) = dP(x,y) 

an einem Punkt P(x t y) einer elliptischen Kurve, wobei dieser Punkt die genannten ganzen Zahlen 
(x,y) darstellt, unter Verwendung des in dem genannten Mittel zum Berechnen berechneten Wer- 
tes der ganzen Zahl a, urn einen Punkt Q(w,z) derjenigen elliptischen Kurve zu berechnen, deren 
Koordinaten ein Paar von ganzen Zahlen (w,z) sind, welche eine dem genannten Paar von ganzen 
Zahlen (x,y) entsprechende chiff rierte Unterschrift darstellen ; und 
= Obertragungsmittel zum Obertragen des genannten Paars von ganzen Zahlen (w,z) zum Zwecke 
deren Empfangs an einer Unterschriften-Dechiffrierstation ; 
so dass die Unterschriften-Chiffrierstation fahig ist, eine Unterschrift zu generieren und einer entspre- 
chenden Untersch riften-Dechiff rierstation zu ubertragen, welche Unterschrift ihre Authentisierung an der 
Unterschriften-Dechiffrierstation ermoglicht 

21. Kryptographisches System nach Anspruch 5 und einem der Anspruche 17 bis 20, bei welchem die De- 
chiffrierstation eine Unterschriften-Dechiffrierstation ist, welche umfasst : 

= Mittel zum Abf ragen eines offentlichen Verzeichnisses, urn daraus zumindest den genannten Modul 
m und den genannten offentlichen Multiplikator e ubertragen zu erhalten ; 

« Speichermittel zumindest fur den genannten ubertragenen Modul m und den genannten ubertrage- 
nen offentlichen Multipli kator e ; 

= Empfangermittel zum Empfangen des genannten Paars von ganzen Zahlen (w,z), welche eine dem 
genannten Paar von ganzen Zahlen (x,y) entsprechende chiff rierte Mitteilung darstellen ; 

= Mittel zum Berechnen einer ganzen Zahl a entsprechend einer Gleichung 

a = [ ( z 2 / w ) - w 2 ] (mod m) 
in dem Fall, bei dem am Falltur-Generator fur die genannte ganze Zahl / der Wert; = 4 ausgewahlt 
wurde, und entsprechend der Gleichung a = 0 in dem Fall, bei dem am Falltur-Generator fur die ge- 
nannte ganze Zahl der Werty = 3 ausgewahlt wurde, wobei in letzterem Fall die Mittel zum Berechnen 
einer ganzen Zahl a entbehrlich sind ; 

= Mittel zum Berechnen von elliptischen Kurven zur Durchfuhrung einer Elliptische-Kurven-Berech- 

nung 

P(x,y) = e • Q(w,z) 

an einem Punkt Q(iv,z) derjenigen elliptischen Kurve, deren Koordinaten ein Paar von ganzen Zahlen 
(w,z) sind, unter Verwendung des in dem genannten Mittel zum Berechnen berechneten Wertes der 
ganzen Zahl a, urn einen Punkt P(x,y) derjenigen elliptischen Kurve zu berechnen, deren Koordinaten 
ein Paar von ganzen Zahlen (x,y) sind, welche eine dechiff rierte Mitteilung darstellen ; und 
= ein Authentisierungsmittel zur Feststellung, ob das genannte Mittel zum Berechnen von elliptischen 
Kurven mit Erfolg ein Paar von ganzen Zahlen (x,y) berechnet hat, das die vorbestimmten Bedin- 
gungen erf ullt, die in alien Stationen des kryptographischen Systems als Voreinstellung vorgesehen 

so dass die Unterschriften-Dechiff rierstation fahig ist, eine von der entsprechenden Unterschrif ten-Chif- 
frierstation empfangene chiff rierte Unterschrift zu dechiffrieren und authentisieren. 

22. Kryptographisches System nach Anspruch 5 und einem der Anspruche 17 bis 20, bei welchem die De- 
chiff rierstation eine Unterschriften-Dechiffrierstation ist, welche umfasst : 

= Eingabemittel zur Aufnahme der Eingabe zumindest des genannten Moduls m und des genannten 
offentlichen Multiplikators e, welche aus dem genannten Falltur-Generator durch das genannte 
Obertragungsmittel ubertragen erhalten wurden ; 
= Speichermittel zumindest fur den genannten ubertragenen Modul m und den genannten ubertrage- 
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nen offent lichen Multiplikator e ; 

= Empfangermittel zum Empfangen des genannten Paars von ganzen Zahlen (w,z), welche eine dem 
genannten Paar von ganzen Zahlen (x,y) entsprechende chlffrierte Mitteilung darstellen ; 

= Mittel zum Berechnen elner ganzen Zahl a entsprechend einer Gleichung 

a ^ [ ( y 2 / x ) - x2](modm) 
In dem Fall, bei dem am Falltur-Generatorfur die genannte ganze Zahl J der Wert j = 4 ausgewahlt 
wurde, und entsprechend der Gleichung a = 0 in dem Fall, bei dem am Falltur-Generatorfur die ge- 
nannte ganze Zahl der Wert; = 3 ausgewahlt wurde, wobei in letzterem Fall die Mittel zum Berechnen 
einer ganzen Zahl a entbehrlich sind ; 

= Mittel zum Berechnen von elliptischen Kurven zur Durchfuhrung einer Elltptische-Kurven-Berech- 
nung 

P(x,y) = e • Q(w,z) 

an einem Punkt Q(w,z) derjenigen elliptischen Kurve, deren Koordinaten ein Paar von ganzen Zahlen 
(w,z) sind, unter Verwendung des in dem genannten Mittel zum Berechnen berechneten Wertes der 
ganzen Zahl a, um einen Punkt P(x,y) derjenigen elliptischen Kurve zu berechnen, deren Koordinaten 
ein Paar von ganzen Zahlen (x,y) sind, welche eine dechiffrierte Mitteilung darstellen ; und 
= ein Authentisierungsmittel zur Feststellung, ob das genannte Mittel zum Berechnen von elliptischen 
Kurven mit Erfolg ein Paar von ganzen Zahlen (x,y) berechnet hat, das die vorbestimmten Bedin- 
gungen erfullt, die in alien Stationen des kryptographischen Systems als Voreinstellung vorgesehen 
sind ; 

so dass die Unterschriften-Dechiff rierstation fahig ist, eine von der entsprechenden Unterschriften-Chif- 
frierstation empfengene chiff rierte Unterschrift zu dechiffrieren und authentisieren. 

Kryptographisches System nach Anspruch 6 und einem der Anspruche 17 bis 20, bei welchem die De- 
chiffrierstatton eine Unterschriften-Dechiffrierstation ist, welche umfasst ; 

= Mittel zum Abf ragen eines offentlichen Verzeichnisses, um daraus zumindest den genannten Modul 
m, den genannten offentlichen Multiplikator© und die genannte ganze Zahl j ubertragen zu erhalten ; 

= Speichermittel zumindest fur den genannten ubertragenen Modul m, den genannten ubertragenen 
offentlichen Multiplikator e und die genannte ganze Zahl j ; 

= Empfangermittel zum Empfangen des genannten Paars von ganzen Zahlen (w,z), welche eine dem 
genannten Paar von ganzen Zahlen (x,y) entsprechende chiff rierte Mitteilung darstellen ; 

= Mittel zum Berechnen einer ganzen Zahl a entsprechend einer Gleichung 

a = [ (y 2 / x ) - x 2 ] (mod m) 
in dem Fall, bei dem am Falltur-Generator fur die genannte ganze Zahl / der Wert / = 4 ausgewahlt 
wurde, und entsprechend der Gleichung a = 0 in dem Fall, bei dem am Falltur-Generator fur die ge- 
nannte ganze Zahl der Wert/ = 3 ausgewahlt wurde, wobei in letzterem Fall die Mittel zum Berechnen 
einer ganzen Zahl a entbehrlich sind ; 

= Mittel zum Berechnen von elliptischen Kurven zur Durchfuhrung einer Elliptische-Kurven-Berech- 
nung 

P(x,y) = e • Q(w,z) 

an einem Punkt Q(w,z) derjenigen elliptischen Kurve, deren Koordinaten ein Paar von ganzen Zahlen 
(w,z) sind, unter Verwendung des in dem genannten Mittel zum Berechnen berechneten Wertes der 
ganzen Zahl a, um einen Punkt P(x,y) derjenigen elliptischen Kurve zu berechnen, deren Koordinaten 
ein Paar von ganzen Zahlen (x,y) sind, welche eine dechiffrierte Mitteilung darstellen ; und 
= ein Authentisierungsmittel zur Feststellung, ob das genannte Mittel zum Berechnen von elliptischen 
Kurven mit Erfolg ein Paar von ganzen Zahlen (x,y) berechnet hat, das die vorbestimmten Bedin- 
gungen erfullt die in alien Stationen des kryptographischen Systems als Voreinstellung vorgesehen 
sind ; 

so dass die Unterschriften-Dechiff rierstation fahig ist, eine von der entsprechenden Unterschriften-Chif- 
frierstation empfangene chiffrierte Unterschrift zu dechiffrieren und authentisieren. 

Kryptographisches System nach Anspruch 6 und einem der Anspruche 17 bis 20, bei welchem die De- 
chiff rierstation eine Unterschriften-Dechiff rierstation ist, welche umfasst : 

= Eingabemittel zur Aufnahme der Eingabe zumindest des genannten Moduls m, des genannten of- 
fentlichen Multiplikators e und der genannten ganze Zahl j, welche aus dem genannten Falltur-Ge- 
nerator durch das genannte Ubertragungsmittel ubertragen erhalten wurden ; 
= Speichermittel zumindest fur den genannten ubertragenen Modul m, den genannten ubertragenen 
offentlichen Multiplikator e und die genannte ganze Zahl j ; 
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= Empfangermittel zum Empfangen des genannten Paars von ganzen Zahlen (w,z), welche eine dem 
genannten Paar von ganzen Zahlen (x,y) entsprechende chiff rierte Mitteilung darstellen ; 

= Mittel zum Berechnen einer ganzen Zahl a entsprechend einer Gleichung 

as[(y2/x) - x 2 ] (mod m) 
in dem Fall, bei dem am Falltur-Generator fur die genannte ganze Zahly der Werty = 4 ausgewahlt 
wurde, und entsprechend der Gleichung a = 0 in dem Fall, bei dem am FaJltur-Generator fur die ge- 
nannte ganze Zahl der Werty = 3 ausgewahlt wurde, wo bei in letzterem Fall die Mittel zum Berechnen 
einer ganzen Zahl a entbehrlich sind ; 

= Mittel zum Berechnen von elliptischen Kurven zur Durchfuhrung einer EHiptische-Kurven-Berech- 
nung 

P(x,y) = e • Q(w,z) 

an einem Punkt Q(w,z) derjenigen elliptischen Kurve, deren Koordinaten ein Paar von ganzen Zahlen 
(w^) sind, unter Verwendung des In dem genannten Mittel zum Berechnen berechneten Wertes der 
ganzen Zahl a, um einen Punkt P(x,y) derjenigen elliptischen Kurve zu berechnen, deren Koordinaten 
ein Paar von ganzen Zahlen (x,y) sind, welche eine dechiff rierte Mitteilung darstellen ; und 
= ein Authentisierungsmittel zur Feststellung, ob das genannte Mittel zum Berechnen von elliptischen 
Kurven mit Erfolg ein Paar von ganzen Zahlen (x,y) berechnet hat, das die vorbestimmten Bedin- 
gungen erf Gilt, die in alien Stationen des kryptographischen Systems als Voreinstellung vorgesehen 
sind ; 

so dass die Unterschrif ten-Dechiff rierstation fahig ist, eine von der entsprechenden Unterschrif ten-Chif- 
frierstation empfangen e chiff rierte Unterschrif t zu dechiff rieren und authentisieren. 

25. Kryptographisches System nach den Anspruchen 3 und 5, bei welchem die Chiff rierstation eine 
Mitteilungs-Chiff rierstation (B) ist, welche umfasst : 

= Mittel zum Abf ragen eines offentlichen Verzeichnisses, um daraus zumindest den genannten Modul 
m und den genannten offentlichen Multiplikator e ubertragen zu erhalten ; 

= Speichermittel zumindest fur den genannten ubertragenen Modul m und den genannten ubertrage- 
nen offentlichen Multiplikator e ; 

= Mitteilungs-Eingabemittel zur Aufnahme der Eingabe eines Paars von ganzen Zahlen (x,y), welche 
eine Mitteilung darstellen und die Bedingungen 0 ^ x < m and 0£y<m erf ullen ; 

= Mittel zum Berechnen einer ganzen Zahl a entsprechend einer Gleichung 

a = l(y 2 lx) - x 2 ] (mod m) 
in dem Fall, bei dem am Falltur-Generator fur die genannte ganze Zahl j der Werty = 4 ausgewahlt 
wurde, und entsprechend der Gleichung a = 0 in dem Fall, bei dem am Falltur-Generator fur die ge- 
nannte ganze Zahl der Werty = 3 ausgewahlt wurde, wobei in letzterem Fall die Mittel zum Berechnen 
einer ganzen Zahl a entbehrlich sind ; 

= Mittel (ECC) zum Berechnen von elliptischen Kurven zur Durchfuhrung einer Elliptische-Kurven-Be- 
rechnung 

Q(w,z) = e • P(x,y) 

an einem Punkt P(x,y) einer elliptischen Kurve, welcher die genannten ganzen Zahlen (x,y) darsteilt, 
unter Verwendung des in dem genannten Mittel zum Berechnen berechneten Wertes der ganzen 
Zahl a, um einen Punkt Q{w,z) derjenigen elliptischen Kurve zu berechnen, deren Koordinaten ein 
Paar von ganzen Zahlen (w,z) sind, welche eine dem genannten Paar von ganzen Zahlen (x,y) ent- 
sprechende chiffrierte Mitteilung darstellen ; und 
= Ubertragungsmittel (TR) zum Ubertragen des genannten Paars von ganzen Zahlen (w,z) zum 
Zwecke deren Empfangs an einer Mitteilungs-Dechiff rierstation (A) ; 
so dass die Mitteilungs-Chiff rierstation fahig ist, eine Mitteilung zu chiffrieren und zu ubertragen, welche 
Mitteilung ihre Dechiff rierung an einer Empfangs- und Dechif f rierstation fur Mitteilungen ermoglicht (Fig. 
2) 

26. Kryptographisches System nach den Anspruchen 4 und 5, bei welchem die Chiff rierstation eine 
Mitteilungs-Chiffrierstation (B) ist, welche umfasst : 

= Eingabemittel zur Aufnahme der Eingabe zumindest des genannten Moduls m und des genannten 
Sffentlichen Multiplikators e, welche aus dem genannten Falltur-Generator durch das genannte 
Ubertragungsmittel ubertragen erhalten wurden ; 

= Speichermittel zumindest fur den genannten ubertragenen Modul m und den genannten ubertrage- 
nen offentlichen Multiplikator e ; 

= Mitteilungs-Eingabemittel zur Aufnahme der Eingabe eines Paars von ganzen Zahlen (x,y), welche 
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eine Mitteilung darstelien und die Bedingungen 0 ^ x < m and 0 ^ / < m erf ullen ; 

= Mittel zum Berechnen einer ganzen Zaht a entsprechend einer Gleichung 

as[(y2/x) - x2](modm) 
in dem Fall, bei dem am Falltur-Generator fur die genannte ganze Zahl j der Wert / = 4 ausgewahlt 
wurde, und entsprechend der Gleichung a = 0 in dem Fall, bei dem am Falltur-Generatorfur die ge- 
nannte ganze Zahl der Wert/= 3 ausgewahlt wurde, wobei in letzterem Fall die Mittel zum Berechnen 
einer ganzen Zahl a entbehrlich sind 

= Mittel (ECC) zum Berechnen von elliptischen Kurven zur Durchf uhrung einer Elliptische-Kurven-Be- 
rechnung 

Q(w,z) = eP(x,y) 

an einem Punkt P(x,y) einer elliptischen Kurve, welcher die genannten ganzen Zahlen (x,y) darstellt, 
unter Verwendung des in dem genannten Mittel zum Berechnen berechneten Wertes der ganzen 
Zahl a, urn einen Punkt Q{w,z) derjenigen elliptischen Kurve zu berechnen, deren Koordinaten ein 
Paarvon ganzen Zahlen (w,z) sind, welche eine dem genannten Paar von ganzen Zahlen (x,y) ent- 
sprechende chiffrierte Mitteilung darstelien ; und 
= Ubertragungsmittel (TR) zum Ubertragen des genannten Paars von ganzen Zahlen (w,z) zum 
Zwecke deren Empfangs an einer Mitteilungs-Dechiff rierstation (A) ; 
so dass die Mitteilungs-Chiff rierstation fahig ist, eine Mitteilung zu chiffrieren und zu ubertragen, welche 
Mitteilung ihre Dechiffrierung an einer Empfangs- und Dechiff rierstation fur Mitteilungen ermoglicht (Fig. 
2) 

Kryptographisches System nach den Anspruchen 3 und 6, bei welchem die Chiff rierstation eine 
Mitteilungs-Chiff rierstation (B) ist, welche umfasst : 

= Mittel zum Abf ragen eines of fentlichen Verzeichnisses, urn daraus zumindest den genannten Modul 
/77, den genannten offentlichen Multiplikatore und die genannte ganze Zahl /ubertragen zu erhalten ; 

= Speichermittel zumindest fur den genannten ubertragenen Modul m, den genannten ubertragenen 
offentlichen Multiplikator e und die genannte ganze Zahl / ; 

= Mitteilungs-Eingabemittel zur Aufnahme der Eingabe eines Paars von ganzen Zahlen (x,y), welche 
eine Mitteilung darstelien und die Bedingungen 0 ^ x < m and 0 ^ y < m erf ullen ; 

= Mittel zum Berechnen einer ganzen Zahl a entsprechend einer Gleichung 

as[(y2/x) - x2](modm) 
in dem Fall, bei dem am Falltur-Generator fur die genannte ganze Zahl /' der Wert / = 4 ausgewahlt 
wurde, und entsprechend der Gleichung a = 0 in dem Fall, bei dem am Falltur-Generator fur die ge- 
nannte ganze Zahl der Wert; = 3 ausgewahlt wurde, wobei in letzterem Fall die Mittel zum Berechnen 
einer ganzen Zahl a entbehrlich sind ; 

= Mittel (ECC) zum Berechnen von elliptischen Kurven zur Durchf uhrung einer Elliptische-Kurven-Be- 
rechnung 

Q(w,z) = eP(x,y) 

an einem Punkt P(x,y) einer elliptischen Kurve, welcher die genannten ganzen Zahlen (x,y) darstellt, 
unter Verwendung des in dem genannten Mittel zum Berechnen berechneten Wertes der ganzen 
Zahl a, um einen Punkt Q(*v,z) derjenigen elliptischen Kurve zu berechnen, deren Koordinaten ein 
Paarvon ganzen Zahlen (iv.z) sind, welche eine dem genannten Paarvon ganzen Zahlen (x,y) ent- 
sprechende chiffrierte Mitteilung darstelien ; und 
= Ubertragungsmittel (TR) zum Ubertragen des genannten Paars von ganzen Zahlen (w,z) zum 
Zwecke deren Empfangs an einer Mitteilungs-Dechiff rierstation (A) ; 
so dass die Mitteilungs-Chiffrierstation fahig ist, eine Mitteilung zu chiffrieren und zu ubertragen, welche 
Mitteilung ihre Dechiffrierung an einer Empfangs- und Dechiff rierstation fur Mitteilungen ermoglicht (Fig. 
2) 

Kryptographisches System nach den Anspruchen 4 und 6, bei welchem die Chiff rierstation eine 
Mitteilungs-Chiffrierstation (B) ist, welche umfasst : 

= Eingabemittel zur Aufnahme der Eingabe zumindest des genannten Moduls m, des genannten of- 
fentlichen Multiplikators e und der genannten ganze Zahl j, welche aus dem genannten Falltur-Ge- 
nerator durch das genannte Ubertragungsmittel ubertragen erhalten wurden ; 
= Speichermittel zumindest fur den genannten ubertragenen Modul m, den genannten ubertragenen 

offentlichen Multiplikator e und die genannte ganze Zahl / ; 
= Mitteilungs-Eingabemittel zur Aufnahme der Eingabe eines Paars von ganzen Zahlen (x,y), welche 
eine Mitteilung darstelien und die Bedingungen 0 ^ x < m and 0 ^ y < m erf ullen ; 
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= Mittel zum Berechnen einer ganzen Zahl a entsprechend einer Gleichung 

a = [(y/x) - x 2 ] (mod m) 
in dem Fall, bei dem am Falltur-Generator fur die genannte ganze Zahl ; der Wert j = 4 ausgewahlt 
wurde, und entsprechend der Gleichung a = 0 in dem Fall, bei dem am Falltur-Generator fur die ge- 
nannte ganze Zahl der Wert; = 3 ausgewahlt wurde, wobei in letzterem Fail die Mittel zum Berechnen 
einer ganzen Zahl a entbehrlich sind ; 

= Mittel (ECC) zum Berechnen von elliptischen Kurven zur Durchf uhrung einer Elliptische-Kurven-Be- 
rechnung 

Q(w,z) = eP(x,y) 

an einem Punkt P(x,y) einer elliptischen Kurve, welcher die genannten ganzen Zahlen (x,y) darstellt, 
unter Verwendung des in dem genannten Mittel zum Berechnen berechneten Wertes der ganzen 
Zahl a, urn einen Punkt Q(tv,z) derjenigen elliptischen Kurve zu berechnen, deren Koordinaten ein 
Paar von ganzen Zahlen (w,z) sind, welche eine dem genannten Paar von ganzen Zahlen (x,y) ent- 
sprechende chiffnerte Mitteiiung darstellen ; und 
= Ubertragungsmittel (TR) zum Obertragen des genannten Paars von ganzen Zahlen (w,z) zum 
Zwecke deren Empfangs an einer Mitteilungs-Dechiff rierstation (A) ; 
so dass die Mitteilungs-Chiff rierstation fahig ist, eine Mitteiiung zu chiffrieren und zu ubertragen, welche 
Mitteiiung ihre Dechiff rierung an einer Empfangs- und Dechif f rierstation fur Mitteilungen ermoglicht (Fig. 
2) 

Kryptographisches System nach Anspruch 2 und einem der Anspruche 25 bis 28, bei welchem die De- 
chiff rierstation eine Mitteilungs-Dechiffrierstation ist, welche umfasst : 
= den genannten Falltur-Generator ; 

= Empfangermittei zum Empfangen des genannten Paars von ganzen Zahlen (w t z), welche eine dem 
genannten Paar von ganzen Zahlen (x,y) entsprechende chiffnerte Mitteiiung darstellen ; 

= Mittel zum Berechnen einer ganzen Zahl a entsprechend einer Gleichung 

a = [ (z 2 / w ) - vv 2 ] (mod m) 
in dem Fall, bei dem am Falltur-Generator fur die genannte ganze Zahl j der Wert j = 4 ausgewahlt 
wurde, und entsprechend der Gleichung a = 0 in dem Fall, bei dem am Falltur-Generator fur die ge- 
nannte ganze Zahl der Wert; = 3 ausgewahlt wurde, wobei in letzterem Fall die Mittel zum Berechnen 
einer ganzen Zahl a entbehrlich sind ; 

= Mittel zum Berechnen von elliptischen Kurven zur Durchf uhrung einer Elliptische-Kurven-Berech- 
nung 

P(x,y) = cf.Q{w,z) 

an einem Punkt Q(w,z) derjenigen elliptischen Kurve, deren Koordinaten ein Paar von ganzen Zahlen 
(w,z) sind, unter Verwendung des in dem genannten Mittel zum Berechnen berechneten Wertes der 
ganzen Zahl a, urn einen Punkt P(x,y) derjenigen elliptischen Kurve zu berechnen, deren Koordinaten 
ein Paar von ganzen Zahlen (x,y) sind, wel che eine dechiff rierte Mitteiiung darstellen ; und 
so dass die Mitteilungs-Dechiffrierstation fahig ist, eine Mitteiiung zu empfangen und zu dechiff rieren. 

Kryptographisches System nach Anspruch 5 und einem der Anspruche 25 bis 28, bei welchem 

• die Dechiff rierstation eine Mitteilungs-Dechiffrierstation ist, 

• der Falltur-Generator zudem Mittel zum Ubertragen zumindest des genannten Moduis m und des 
genannten geheimen Multiplikators d zur Mitteilungs-Dechiffrierstation umfasst, und 

• die Mitteilungs-Dechiffrierstation umfasst : 

= Eingabemittel zur Aufnahme der Eingabe zumindest des genannten Moduis m und des genannten 

geheimen Multiplikators d ; 
= Speichermittel zumindest fur den genannten eingegebenen Modul mund den genannten einge- 

gebenen geheimen Multiplikator d ; 
= Empfangermittel zum Empfangen des genannten Paars von ganzen Zahlen (w,z), welche eine 

dem genannten Paar von ganzen Zahlen (x,y) entsprechende chiffrierte Mitteiiung darstellen ; 
= Mittel zum Berechnen einer ganzen Zahl a entsprechend einer Gleichung 
a = I (z 2 / w ) - w 2 ] (mod m) 

in dem Fall, bei dem am Falltur-Generator fur die genannte ganze Zahl ; der Wert ; = 4 ausgewahlt 

wurde, und entsprechend der Gleichung a = 0 in dem Fall, bei dem am Falltur-Generator fur die 

genannte ganze Zahl der Wert; = 3 ausgewahlt wurde, wobei in letzterem Fall die Mittel zum Be- 

rechnen'einer ganzen Zahl a entbehrlich sind ; 
= Mittel zum Berechnen von elliptischen Kurven zur Durchf uhrung einer Elliptische-Kurven-Be- 
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rechnung 

P(x,y) = d • G(w,z) 

an einem Punkt Q(w,z) derjenigen elliptischen Kurve, deren Koordinaten ein Paar von ganzen 
Zahlen (w,z) sind, unter Verwendung des in dem genannten Mittel zum Berechnen berechneten 
5 Wertes der ganzen Zahl a, urn einen Punkt P(x,y) derjenigen elliptischen Kurve zu berechnen, 

deren Koordinaten ein Paar von ganzen Zahlen (x f y) sind, wel che eine dechiffrierte Mitteilung 
darstellen ; und 

so dass die Mitteilungs-Dechiff rierstation fahig ist, eine Mitteilung zu empfangen und zu dechiffrieren. 

10 31. Kryptographisches System nach Anspruch 6 und einem der Anspruche 25 bis 28, bei welchem 

♦ die Dechiff rierstation eine Mitteilungs-Dechiff rierstation ist, 

• der Falltur-Generator zudem Mittel zum Ubertragen zumindest des genannten Moduls /n, des ge- 
nannten geheimen Multiplikators d und der genannten ganzen Zahl / zur Mitteilungs- 
Dechiff rierstation umfasst, und 

15 -die Mitteilungs-Dechiff rierstation umfasst : 

= Eingabemittel zur Aufnahme der Eingabe zumindest des genannten Moduls m des genannten ge- 
heimen Multiplikators d und der genannten ganzen Zahl / ; 
= Speichermittel zumindest fur den genannten eingegebenen Modul m, den genannten eingege- 
benen geheimen Multiplikator d und die genannte ganze Zahl / ; 
20 = Empfangermittel zum Empfangen des genannten Paars von ganzen Zahlen (w,z), welche eine 

dem genannten Paar von ganzen Zahlen (x,y) entsprechende chiffrierte Mitteilung darstellen ; 
= Mittel zum Berechnen einer ganzen Zahl a entsprechend einer Gleichung 
a = [ (z 2 / w ) - w 2 ] (mod m) 
in dem Fall, bei dem am Falltur-Generator fur die genannte ganze Zahl/der Wert/ = 4 ausgewahlt 
25 wurde, und entsprechend der Gleichung a = 0 in dem Fall, bei dem am Falltur-Generator fur die 

genannte ganze Zahl der Wert J = 3 ausgewahlt wurde, wobei in letzterem Fall die Mittel zum Be- 
rechnen einer ganzen Zahl a entbehrlich sind ; 
= Mittel zum Berechnen von elliptischen Kurven zur Durchfuhrung einer Elliptische-Kurven-Be- 
rechnung 

30 P(x,y) = cf - Q(w,z) 

an einem Punkt Q(w,z) derjenigen elliptischen Kurve, deren Koordinaten ein Paar von ganzen 
Zahlen (w,z) sind, unter Verwendung des in dem genannten Mittel zum Berechnen berechneten 
Wertes der ganzen Zahl a, urn einen Punkt P(x,y) derjenigen elliptischen Kurve zu berechnen, 
deren Koordinaten ein Paar von ganzen Zahlen (x,y) sind, wel che eine dechiffrierte Mitteilung 

35 darstellen ; und 

so dass die Mitteilungs-Dechiff rierstation fahig ist, eine Mitteilung zu empfangen und zu dechiffrieren. 

32. Kryptographisches System nach Anspruch 2, das zudem umfasst : 

= eine Vertrauensbehorde (TA) zur Ausgabe von Daten, welche die Identif ikation einer Station des 
40 kryptographischen Systems ermoglichen ; und 

= zumindest eine in einer Station des kryptographischen Systems enthaltene Identif ikationsvorrich- 
tung (ID), die mit Speichermittel (SM) fur die genannten, die Identif ikation ermoglichenden Daten 
versehen ist ; 

= zumindest eine in einer anderen Station des kryptographischen Systems enthaltene Uberprufungs- 
45 vorrichtung (VD), die dazu ausgebildet ist, mit der genannten Identif ikationsvorrichtung zusammen- 

zuarbeiten ; 

• wobei die genannte Vertrauensbehorde mit dem genannten Falltur-Generator versehen ist und zudem 
umfasst : 

= Mittel zum Auswahlen einer Identif ikations-Datenfolge /, die eine Identitat eines Antragstellers fur 
so die genannte Identifikatfonsvorrichtung eindeutig darstellt ; 

= Mittel zum Auswahlen einer Funktion r", die einer beliebigen der genannten eindeutigen Datenfolgen 
/ein entsprechendes eindeutiges Paar von ganzen Zahlen (x,y) zuordnet, welche die Bedingungen 
0^x</7jand0^y<m erfullen, wobei diese ganzen Zahlen (x,y) einen Punkt P(x,y) = f(l) einer 
elliptischen Kurve darstellen ; 
55 = Mittel (ECC) zum Berechnen von elliptischen Kurven zur Durchfuhrung einer Elliptische-Kurven-Be- 

rechnung 

Q(s,0 = d • P(x,y) 

am genannten Punkt P(x,y) zur Berechnung eines Punktes Q(s,r) der genannten elliptischen Kurve, 
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dessen Koordinaten ein Paar von ganzen Zahlen (s.r) sind, welche eine der genannten 
Identif ikations-Datenfolge / entsprechende chiffrierte Datenfblge darstellen ; und 
= Obertragungsmittel (TR) zum Obertragen zumindest der genannten Identif itotions-Datenfolge /, des 
genannten Moduls m, des genannten offentlichen Multipiikators e t des genannten Paars von ganzen 
Zahlen (x,y) und des genannten Paars von ganzen Zahlen (s,0 zu dem genannten Speichermlttel 
(SM) der genannten Identif Ikationsvorrichtung (ID), um sie darin zu speichern. (Fig. 3) 

33. Kryptographisches System nach Anspruch 32, bei welchem die genannte Funktlon f als Voreinstellung in 
alien Stationen des kryptographischen Systems vorgesehen ist. 

34. Kryptographisches System nach Anspruch 32, bei welchem die genannten, durch die genannten Ober- 
tragungsmittel ubertragenen Daten auch die genannte Funktion f umfassen. 

35. Kryptographisches System nach Anspruch 33, bei welchem 

. die genannte Identif ikationsvorrichtung (ID) umfasst : 

= Mittel zum Berechnen der ganzen Zahl a entsprechend einer Gleichung 

as[(y2/x) - x 2 ] (mod m) 
in dem Fall, bei dem am Falltur-Generatorf ur die genannte ganze Zahl; der Werty = 4 ausgewahlt 
wurde, und entsprechend der Gleichung a = 0 in dem Fall, bei dem am Falltur-Generator fur die 
genannte ganze Zahl der Wert j = 3 ausgewahlt wurde, wobei in letzterem Fall die Mittel zum Be- 
rechnen einer ganzen Zahl a entbehrlich sind ; 
= Mittel zum Auswahlen einer zufalligen ganzen Zahl r, welche die Bedingungen 0 =s r=§ / erf Gilt, 
wobei / eine ganze Zahl ist, welche als Voreinstellung in alien Stationen des kryptographischen 
Systems vorgesehen ist und die Bedingung / < m erf ullt; 
= Mittel (ECC) zum Berechnen von elliptischen Kurven zur Durchfuhrung einer Elliptische-Kurven- 
Berechnung 

U{u x ,u y ) = r-P(x,y) 

am genannten Punkt P(u,v) der genannten elliptischen Kurve, dessen Koordinaten das genannte 
Paar von ganzen Zahlen (u, v) sind, zur Berechnung eines Punktes U(u„ u y ) derjenigen elliptischen 
Kurve, deren Koordinaten ein Paar von ganzen Zahlen (u„u y ) sind ; 
= Mittel (ECC) zum Berechnen von elliptischen Kurven zur Durchfuhrung einer Elliptische-Kurven- 
Berechnung 

V(Wy) = * • U{u*Uy) 

am genannten Punkt U(u x ,u y ) der genannten elliptischen Kurve, dessen Koordinaten das genann- 
te Paar von ganzen Zahlen (u„u y ) sind, zur Berechnung eines Punktes V{v x ,v y ) derjenigen ellip- 
tischen Kurve, deren Koordinaten ein Paar von ganzen Zahlen (v x ,v y ) sind ; 

= Obertragungsmittel (TR)zum Obertragen zumindest der genannten Identif ikations-Datenfolge / 
und des genannten Paars von ganzen Zahlen (v x ,v y ) zwecks deren Empfang an der genannten 
anderen, die Oberprufungsvorrichtung (VD) enthaltende Station ; 

= Empfangermittel (RC) zum Empfangen einer ganzen Zahl /cals Herausforderung aus der genann- 
ten anderen, die Oberprufungsvorrichtung enthaltende Station ; 

= Mittel (ECC) zum Berechnen von elliptischen Kurven zur Durchfuhrung einer Elliptische-Kurven- 
Berechnung 

W(w x ,w y ) = U(u»u y ) + /c*Q(s,f) 
am genannten Punkt Q(s,f) der genannten elliptischen Kurve, dessen Koordinaten das genannte 
Paar von ganzen Zahlen (s,f) sind. zur Berechnung eines Punktes W(w x ,iv y ) der genannten ellip- 
tischen Kurve, dessen Koordinaten das genannte Paar von ganzen Zahlen (w* w y ) sind ; 

= Obertragungsmittel (TR) zum Obertragen des genannten Paars von ganzen Zahlen (w xt w y ) 
zwecks deren Empfang an der genannten anderen, die Uberpruf ungsvomchtung (VD) enthalten- 
de Station ; und 
• die genannte Oberprufungsvorrichtung (VD) umfasst : 

= Mittel zum Berechnen des genannten Paars von ganzen Zahlen (x,y), welche einen Punkt P(x,y) 
= f{t) der genannten elliptischen Kurve darstellen, aus der genannten Identif ikations-Datenfolge 
/ entsprechend der genannten Funktion f ; 

= Mittel (RIG) zum Auswahlen einer zufalligen ganzen Zahl fc, welche die Bedingung 0 ^ k =s ( e - 

1 > erf0,lt *' 

= Obertragungsmittel (TR) zum Obertragen der genannten zufalligen ganzen Zahl k, zwecks deren 
Empfang als Herausforderung an der genannten, die Identif ikationsvorrichtung enthaltende Sta- 

47 



EP 0 503 119 B1 



tion ; 

= Empfangermittel (RC) zum Empfangen des genannte Paars von ganzen Zahlen (w x ,w y ) als Ant- 
wort auf die genannte Herausforderung aus der genannten, die Identif ikationsvorrichtung (ID) 
enthaltende Station ; 

= Mittel (ECC) zum Berechnen von elliptischen Kurven zur Durchf uhrung einer Elliptische-Kurven- 
Berechnung 

Ut^U) = e ■ W[w xt w y ) 

am genannten Punkt W(w„w y ) der genannten elliptischen Kurve, dessen Koordinaten das ge- 
nannte Paar von ganzen Zahlen {w x ,w y ) sind, zur Berechnung eines Punktes 7i(f v f^) der genann- 
ten elliptischen Kurve, dessen Koordinaten das genannte Paar von ganzen Zahlen (f v f ly ) sind ; 

= Mittel (ECC) zum Berechnen von elliptischen Kurven zur Durchf uhrung einer Bliptische-Kurven- 
Berechnung 

am genannten Punkt W{w x% w y ) der genannten elliptischen Kurve, dessen Koordinaten das ge- 
nannte Paar von ganzen Zahlen (w x ,w y ) sind, zur Berechnung eines Punktes ^(f^f^) der genann- 
ten elliptischen Kurve, dessen Koordinaten das genannte Paar von ganzen Zahlen (t^t 2 ) sind ; 
und 

= Mittel (CMP) zum Vergleichen der genannten Paare von ganzen Zahlen (t^U) und (t 2 J 2 ) mitein- 

ander zur Feststellung, ob die beiden Testbedingungen f 1z = und t iy = von den genannten 

Paaren von ganzen Zahlen (f v f 1y ) und (f^f^ erf Gilt werden ; 

so dass die Oberprufungsvorrichtung tehig ist festzustellen, ob eine Identifikationsvorrichtung echt ist. 
(Fig. 4) 

36. Kryptographisches System nach Anspruch 34, bei welchem 

• die genannte Vertrauensbehorde zudem Gbertragungsmittel zum Ubertragen der genannten Funk- 
tion fzu einem entsprechenden Speichermittel, das in der genannten Oberprufungsvorrichtung vor- 
gesehen ist, umfasst, urn lokal darin die genannte Funktion fzu speichern ; 

• die genannte Identifikationsvorrichtung umfasst : 

= Mittel zum Berechnen der ganzen Zahl a entsprechend einer Gleichung 

a = [(^/x) - x2](mod/i7) 
in dem Fall, bei dem am Falltur-Generatorfur die genannte ganze Zahl /der Wert j = 4 ausgewahlt 
wurde, und entsprechend der Gleichung a = 0 in dem Fall, bei dem am Falltur-Generatorfur die 
genannte ganze Zahl der Wert/ = 3 ausgewahlt wurde, wobei in letzterem Fall die Mittel zum Be- 
rechnen einer ganzen Zahl a entbehrlich sind ; 

= Mittel zum Auswahlen einer zufalligen ganzen Zahl k, welche die Bedingung 0 ^ r m erfullt ; 

= Mittel zum Berechnen von elliptischen Kurven zur Durchfuhrung einer Elliptische-Kurven-Be- 
rechnung 

U(u„u y ) = r-P(x,y) 

am genannten Punkt P(u,v) der genannten elliptischen Kurve, dessen Koordinaten das genannte 
Paar von ganzen Zahlen (u, v) sind, zur Berechnung eines Punktes U(u x ,u y ) derjenigen elliptischen 
Kurve, deren Koordinaten ein Paar von ganzen Zahlen {u xi u y ) sind ; 
= Mittel zum Berechnen von elliptischen Kurven zur Durchfuhrung einer Elliptische-Kurven-Be- 
rechnung 

V(W y ) = e . U{u xi u y ) 

am genannten Punkt U(u x ,u y ) der genannten elliptischen Kurve, dessen Koordinaten das genann- 
te Paar von ganzen Zahlen (u x ,u y ) sind, zur Berechnung eines Punktes V{v x ,v y ) derjenigen ellip- 
tischen Kurve, deren Koordinaten ein Paar von ganzen Zahlen (v^Vy) sind ; 

= Gbertragungsmittel zum Obertragen zumindest der genannten Identif ikations-Datenfolge / und 
des genannten Paars von ganzen Zahlen {v x ,v y ) zwecks deren Empfang an der genannten ande- 
ren, die Oberprufungsvorrichtung enthaltende Station ; 

= Empfangermittel zum Empfangen einer ganzen Zahl k als Herausforderung aus der genannten 
anderen, die Oberprufungsvorrichtung enthaltende Station ; 

= Mittel zum Berechnen von elliptischen Kurven zur Durchfuhrung einer EIliptische-Kurven-Be- 
rechnung 

W(w x ,w y ) = U{u x ,u y ) + k-Q(s t f) 
am genannten Punkt Q(s,Q der genannten elliptischen Kurve, dessen Koordinaten das genannte 
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Paar von ganzen Zahlen (s.f) sind, zur Berechnung eines Punktes Wd^Wy) der genannten ellip- 
tischen Kurve. dessen Koordinaten das genannte Paar von ganzen Zahlen (w„w y ) sind ; 
= Obertragungsmittel zum Obertragen des genannten Paars von ganzen Zahlen {w xi w y ) zwecks de- 
ren Empfang an der genannten anderen, die Oberprufungsvomchtung (VD) enthaltende Station ; 
und 

• die genannte Oberprufungsvomchtung umfasst : 

= Eingabemittel zur Aufnahme der Eingabe zumindest der genannten Funktion f von der genannten 

Vertrauensbehorde durch deren Obertragungsmittel ; 
■ Speichermittel zumindest fur die genannte ubertragene Funktion f ; 

= Mittel zum Berechnen des genannten Paars von ganzen Zahlen (x,y), welche einen Punkt P(x,y) 
= M der genannten elliptischen Kurve darstellen, aus der genannten Identifikations-Datenfolge 
/ entsprechend der genannten Funktion f ; 

= Mittel zum Auswahlen einer zufalligen ganzen Zahl k, welche die Bedingung 0 =S k ( e - 1 ) er- 

= Obertragungsmittel zum Obertragen der genannten zufalligen ganzen Zahl k t zwecks deren Emp- 
fang als Herausforderung an der genannten. die Identif ikationsvorrichtung enthaltende Station ; 

= Empfangermittel zum Empfangen des genannte Paars von ganzen Zahlen (w Xf w y ) als Antwort auf 
die genannte Herausforderung aus der genannten, die Identifikationsvorrichtung enthaltende 
Station ; 

= Mittel zum Berechnen von elliptischen Kurven zur Durchfuhrung einer Elliptische-Kurven-Be- 
rechnung 

am genannten Punkt W{w Xf w y ) der genannten elliptischen Kurve. dessen Koordinaten das ge- 
nannte Paar von ganzen Zahlen (w x ,w y ) sind. zur Berechnung eines Punktes T,{U M ,U) der genann- 
ten elliptischen Kurve. dessen Koordinaten das genannten Paar von ganzen Zahlen (f v f 1f ) sind ; 
= Mittel zum Berechnen von elliptischen Kurven zur Durchfuhrung einer Elliptische-Kurven-Be- 
rechnung 

T 2 (hJ 2 ) = V{v K ,v y ) + *-P(x.y) 
am genannten Punkt W^Wy) der genannten elliptischen Kurve, dessen Koordinaten das ge- 
nannte Paar von ganzen Zahlen (w Xf w y ) sind. zur Berechnung eines Punktes TJf^ty der genann- 
ten elliptischen Kurve, dessen Koordinaten das genannten Paar von ganzen Zahlen (t^tz) sind ; 

= Mittel zum Vergleichen der genannten Paare von ganzen Zahlen (t^U) und (t 2g ,t 2 ) miteinander 
zur Feststellung. ob die beiden Testbedingungen U t = t^und f 1jr = f 2 ,von den genannten Paaren 

von ganzen Zahlen fhji) und IhJb) erf Q,lt werden 
so dass die Oberprufungsvomchtung fahig ist festzustellen, ob eine Identifikationsvorrichtung echt ist. 

Kryptographisches System nach Anspruch 34, bei welchem f 
. die genannte Vertrauensbehorde zudem Obertragungsmittel zum Ubertragen der genannten Funk- 
tion f zu einem offentlichen Verzeichnis. das von einer beliebigen Station des kryptographischen Sy- 
stems abfragbar ist, urn lokal darin die genannte Funktion f zu speichern, umfasst ; 
. die genannte Identifikationsvorrichtung umfasst : 

= Mittel zum Berechnen der ganzen Zahl a entsprechend einer Gleichung 
a = [ (y 2 / x ) - x 2 ] (mod m) 
in dem Fall, bei dem am Falltur-Generatorfur die genannte ganze Zahiy der Werty = 4 ausgewahlt 
wurde und entsprechend der Gleichung a = 0 in dem Fall, bei dem am Falltur-Generator fur die 
genannte ganze Zahl der Wert j = 3 ausgewahlt wurde, wobei in letzterem Fall die Mittel zum Be- 
rechnen einer ganzen Zahl a entbehrlich sind ; 
= Mittel zum Auswahlen einer zufalligen ganzen Zahl k t welche die Bedingung 0 ^ r ^ m erf ullt ; 
= Mittel zum Berechnen von elliptischen Kurven zur Durchfuhrung einer Elliptische-Kurven-Be- 
rechnung 

U{u x ,u y ) = rP(x,y) 

am genannten Punkt P(u,v) der genannten elliptischen Kurve. dessen Koordinaten das genannte 
Paar von ganzen Zahlen (u, v) sind. zur Berechnung eines Punktes U(u x .t/ y ) derjenigen elliptischen 
Kurve, deren Koordinaten ein Paar von ganzen Zahlen (u x ,u y ) sind ; 
= Mittel zum Berechnen von elliptischen Kurven zur Durchfuhrung einer Elliptische-Kurven-Be- 
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rechnung 

V{v x ,v y ) = e • U(u x ,u y ) 

am genannten Punkt U(u Xl u y ) der genannten elliptischen Kurve, dessen Koordinaten das genann- 
te Paar von ganzen Zahlen (u^Uy) sind, zur Berechnung eines Punktes V(v„v y ) derjenigen ellip- 
tischen Kurve, deren Koordinaten ein Paar von ganzen Zahlen (v„v y ) sind ; 

= Ubertragungsmittel zum Ubertragen zumindest der genannten Identif ikations-Datenfolge / und 
des genannten Paars von ganzen Zahlen (v„ v y ) zwecks deren Empfang an der genannten ande- 
ren, die Uberpruf ungsvorrichtung enthaltende Station ; 

= Empfangermittel zum Empfangen einer ganzen Zahl k als Herausforderung aus der genannten 
anderen, die Oberpruf ungsvorrichtung enthaltende Station ; 

= Mittel zum Berechnen von elliptischen Kurven zur Durchfuhrung einer Elliptische-Kurven-Be- 
rechnung 

MtaftWf) = UiUnlly) + k • Q(s,f) 
am genannten Punkt Q(s,f) der genannten elliptischen Kurve, dessen Koordinaten das genannte 
Paar von ganzen Zahlen (s,f) sind, zur Berechnung eines Punktes W[w*w y ) der genannten ellip- 
tischen Kurve, dessen Koordinaten das genannte Paar von ganzen Zahlen (w„w y ) sind ; 
= Ubertragungsmittel zum Obertragen des genannten Paars von ganzen Zahlen (w xt w y ) zwecks de- 
ren Empfang an der genannten anderen, die Uberpruf ungsvorrichtung (VD) enthaltende Station ■ 
und 

• die genannte Uberprufungsvorrichtung umfasst : 

= Mittel zum Abfragen eines of fentlichen Verzeichnisses, urn daraus zumindest die genannte Funk- 

tion f ubertragen zu erhalten ; 
= Speichermittel zumindest fur die genannte ubertragene Funktion f ; 

= Mittel zum Berechnen des genannten Paars von ganzen Zahlen (x,y), welche einen Punkt P(x,y) 
= /{/) der genannten elliptischen Kurve darstellen, aus der genannten Identif ikations-Datenfolge 
I entsprechend der genannten Funktion f ; 

= Mittel zum Auswahlen einer zufalligen ganzen Zahl k, welche die Bedingung 0 =i k m ( e - 1 ) er- 
fullt; 

= Obertragungsmittel zum Ubertragen der genannten zufalligen ganzen Zahl /r, zwecks deren Emp- 
fang als Herausforderung an der genannten, die Identif ikationsvorrichtung enthaltende Station ; 

= Empfangermittel zum Empfangen des genannte Paars von ganzen Zahlen (w x ,w y ) als Antwort auf 
die genannte Herausforderung aus der genannten, die Identif ikationsvorrichtung enthaltende 
Station; 

= Mittel zum Berechnen von elliptischen Kurven zur Durchfuhrung einer Elliptische-Kurven-Be- 
rechnung 

7-,(Mv) = e . Ww*w y ) 

am genannten Punkt W(w„w y ) der genannten elliptischen Kurve, dessen Koordinaten das ge- 
nannte Paar von ganzen Zahlen (w„w y ) sind, zur Berechnung eines Punktes T^fy der genann- 
ten elliptischen Kurve, dessen Koordinaten das genannte Paar von ganzen Zahlen (f v f lf ) sind ; 

= Mittel zum Berechnen von elliptischen Kurven zur Durchfuhrung einer Elliptische-Kurven-Be- 
rechnung 

T 2 (t 2 A) = V(v xt v y ) + *P(x,y) 
am genannten Punkt W{w x ,w y ) der genannten elliptischen Kurve, dessen Koordinaten das ge- 
nannte Paar von ganzen Zahlen {w x ,w y ) sind, zur Berechnung eines Punktes ^(f^iy der genann- 
ten elliptischen Kurve, dessen Koordinaten das genannte Paar von ganzen Zahlen (t 2 t 2 ) sind ■ 
und / 
= Mittel zum Vergleichen der genannten Paare von ganzen Zahlen (f v f 1f ) und (t 2jf t 2 ) miteinander 
zur Feststellung ob die beiden Testbedingungen f 1jr = f 2jt und f 1y = t 2y von den genannten Paaren 
von ganzen Zahlen (f v f 1? ) und {t^ty erf ullt, werden ; 
so dass die Oberprufungsvorrichtung fahig ist festzustellen, ob etne Identif ikationsvorrichtung echt ist. 

Kryptographisches System nach einem der Anspruche 35 bis 37, bei welchem die genannten Mittel zum 
Auswahlen einer zufalligen ganzen Zahl k und die genannten Mittel zum Obertragen der genannten zu- 
falligen ganzen Zahl Jcals Herausforderung im Hinblick auf einen mehrfach wiederholten Betrieb im Laufe 
einer Identif ikationssitzung ausgebildet sind. 
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Reve indications 

1 Systeme de cryptographie comportant au moins un canal de communication (COM), au moins une station 
d'encryptage (A;B), au moins une station de decryptage (B;A), lesdites stations d'encryptage et de de- 
cryptage etant reliees entre elies par le canal de communication, et comportant en outre un generateur 
de trappe (TG), ledit generateur de trappe etant caracterise en ce qu'il comprend 

= des moyens pour selectionner une multiplicite r de nombres premiers distincts a ou , est un nombre 

entier satisfaisant aux conditions 1 ^ i = 
= des moyens pour generer un module m qui est un produit desdits nombres premiers a ; 
= des moyens pour selectionner une paire de nombres entiers (a,b) satisfaisant aux conditions 0 ^ a 
<met02S6<m; 

= des moyens pour calcuier, pour chaque nombre premier a. un nombre N(a) de paires de nombres 
entiers distincts (x.y) satisfaisant aux conditions 0==ix<AetO=Sy<Aet satisfaisant en outre aux 
conditions 

y2 =x 3 + a x + b (mod a) 
et pour calcuier a partir desdits nombres N(a) une valeur de somme N(a) + 1 representative d'un 
ordre d'une courbe elliptique def inie comme etant I'ensemble desdites paires de nombres entiers 

toy) i 

= des moyens pour calcuier un plus petit commun multiple u desdites valeurs de somme N(a) + 1 ; 
= des moyens pour selectionner un multiplicateur public e qui est premier relativement a u ; 
= des moyens pour calcuier un multiplicateur secret d conformement a une equation 

cf= 1/e (mod \i) ; 

et 

= des moyens de transfert pour transferer des donnees comprenant au moins lesdits module m, paire 
25 de nombres entiers (a,o) et multiplicateur public e vers un moyen de memorisation correspondant 

(PD) prevu dans le systeme de cryptographie pour y memoriser localement lesdites donnees, 
de sorte que le systeme de cryptographie est muni d'une fonction de trappe a sens unique pour une trans- 
formation dont la trappe est le multiplicateur secret d. 

30 2 Systeme de cryptographie comportant au moins un canal de communication (COM), au moins une station 
d'encryptage (A;B), au moins une station de decryptage (B;A), lesdites stations d'encryptage et de de- 
cryptage etant reliees entre elles par le canal de communication, et comportant en outre un generateur 
de trappe (TG), ledit generateur de trappe etant caracterise en ce qu'il comprend 

= des moyens pour selectionner une multiplicite r de nombres premiers distincts p, ayant chacun une 
35 valeur de somme respective correspondante (a + 1) qui satisfait a la condition 

(A + 1) = 0(mody) 

ou , est un nombre entier satisfaisant aux conditions 1 ^ , ==i r ety est un nombre entier dont la valeur 
est selectionnee parmi 3 et 4 ; 
= des moyens pour generer un module m qui est un produit desdits nombres premiers a : 
40 = des moyens pour calcuier le plus petit commun multiple n desdits nombres (a + 1) ; 

= des moyens pour selectionner un multiplicateur public e qui est premier relativement a u ; 
= des moyens pour calcuier un multiplicateur secret d conformement a une equation 

dsl/e(modu); 

et 

45 = des moyens de transfert pour transferer des donnees comprenant au moins ledits module m et mul- 

tiplicateur public b vers un moyen de memorisation correspondant (PD) prevu dans le systeme de 
cryptographie pour y memoriser localement ledites donnees, 
de sorte que le systeme de cryptographie est muni d'une fonction de trappe a sens unique pour une trans- 
formation dont la trappe est le multiplicateur secret d. 

Systeme de cryptographie selon la revendication 1 ou 2, dans lequel ledit moyen de memorisation corres- 
pondant est un annuaire public (PD) qui peut etre interroge par toute station du systeme de cryptographie 
pour y memoriser localement lesdites donnees transferees dudit generateur de trappe (TG) par lesd.ts 
moyens de transfert 

Systeme de cryptographie selon la revendication 1 ou 2, dans lequel ledit moyen de memorisation corres- 
pondant (ECC) est inclus dans une station (A;B) du systeme de cryptographie pour y memonser locale- 
ment lesdites donnees transferees dudit generateur de trappe par lesdits moyens de transfert. 
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Systeme de cryptographie selon la revendication 2, dans lequel ladite valeur s6lectionnee du nombre en- 
tier y est prevue comme consigne initiate dans toutes les stations du systeme de cryptographie. 

Systeme de cryptographie selon la revendication 2, dans lequel lesdites donnees transferees par lesdits 
moyens de transfer! comprennent aussi lesdites valeur selectionnees du nombre entier j. 

Systeme de cryptographie selon la revendication 1, dans lequel la station d'encryptage est un station d'en- 
cryptage de signature (A) qui comprend 
= ledit generateur de trappe (TG) ; 

= des moyens pour selectionner un nombre entier x soumis aux conditions pred6terminees prevues 
comme consigne initiate dans toutes les stations du systeme de cryptographie ; 

= un moyen de conversion de message en courbe elliptique (ME) pour calculer a partir dud it nombre 
entier x une paire de nombres entiers (s,f) telle que 

= ledit nombre entier s satisfait a une relation predetermine avec ledit nombre entier x, laquelle rela- 
tion est prevue comme consigne initiate dans toutes les stations du systeme de cryptographie, et 

- ladite paire de nombres entiers (s,r) satisfait a la condition 

P = s3 + a s + b (mod m) 
de sorte que lesdits nombres entiers (s,f) sont repr6sentatifs d'un point Q(s,f) de ladite courbe ellip- 
tique ; 

= un moyen de calcul de courbe elliptique (ECC) pour effectuer sur ledit point Q(s,f) un calcul de courbe 
elliptique 

P(u,v) = d • Q(s,f) 

pour calculer un point P{u,v) de ladite courbe elliptique dont les coordonnees sont une paire de nom- 
bres entiers (u,v) representatives d'une signature encryptee correspondant audit nombre entier x ; 
et 

= des moyens de transmission (TR) pour transmettre ladite paire de nombres entiers (u,v) en vue de 
sa reception en une station de decryptage de signature (B) ; 
de sorte que le station d'encryptage de signature est capable de generer et de transmettre a une station 
de decryptage de signature correspondante une signature qui permet la verification de son authenticite 
a fa station de decryptage de signature. (Fig. 1) 

Systeme de cryptographie selon la revendication 1, dans lequel la station d'encryptage est une station 
d'encryptage de signature (A) qui comprend 
= ledit generateur de trappe (TG) ; 

= des moyens d'entree destines a recevoir Tentree d'un nombre entier x soumis aux conditions pre- 
determinees prevues comme consigne initiate dans toutes les stations du systeme de cryptographie ; 
= un moyen de memorisation pour ledit nombre entier x entre ; 

= un moyen de conversion de message en courbe elliptique (ME) pour calculer a partir dudit nombre 
entier x une paire de nombres entiers (s,f) telle que 
= ledit nombre entier s satisfait a une relation pred6terminee avec ledit nombre entier x, laquelle 
relation est prevue comme consigne initiate dans toutes les stations du systeme de cryptographie, 
et 

= ladite paire de nombres entiers (s,r) satisfait a la condition 

Ns 3 + as + b (mod m) 
de sorte que lesdits nombres entiers (s,f) sont repr6sentatifs d'un point Q(s,f) de ladite courbe 
elliptique ; 

= un moyen de calcul de courbe elliptique (ECC) pour effectuer sur ledit point Q(s,f) un calcul de courbe 
elliptique 

P(u,v) = d • Q(s f r) 

pour calculer un point P(u % v) de ladite courbe elliptique dont les coordonnees sont une paire de nom- 
bres entiers (u,v) representatifs d'une signature encryptee correspondant audit nombre entier x ; et 
= des moyens de transmission (TR) pour transmettre ladite paire de nombres entiers (u,v) en vue de 
sa reception en une station de decryptage de signature (B) ; 
de sorte que le station d'encryptage de signature est capable de gen6rer et de transmettre a une station 
de d6cryptage de signature correspondante une signature qui permet la verification de son authenticite 
a la station de decryptage de signature. (Fig. 1) 

Systeme de cryptographie selon la revendication 1 f dans lequel 
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• la station d'encryptage est une station d'encryptage de signature (A), 

- le generateur de trappe (TG) comprend en outre des moyens pour transferer au moins lesdits mul- 
tiplicity rde nombres premiers distincts a, module m, paire de nombres entiers (a,o) et multiplicateur 
secret d a la station d'encryptage de signature, et 

- ta station d'encryptage de signature comprend 

= des moyens d'entree destines a recevoir au moins lesdits multiplicite r de distinct nombres pre- 
miers a. module m, paire de nombres entiers (a,b) et multiplicateur secret d ; 

= un moyen de memorisation pour au moins lesdits multiplicite r de nombres premiers distincts p it 
module m, paire de nombres entiers (a,b) et multiplicateur secret d entres ; 

= des moyens pour setectionner un nombre entierxsoumis aux conditions predeterminees prevues 
comme consigne initiate dans toutes les stations du systeme de cryptographie ; 

= un moyen de conversion de message en courbe elliptique (ME) pour calcuier a partir dudit nombre 
entier x une paire de nombres entiers (s,f) telle que 

= ledit nombre entier s satisfait a une relation predeterminee avec ledit nombre entier x, laquelle 
relation est prevue comme consigne initiate dans toutes les stations du systeme de crypto- 
graphie, et 

= ladite paire de nombres entiers (s,f) satisfait a la condition 
p-s 3 + a s + b (mod m) 
de sorte que lesdits nombres entiers (s,r) sont representatifs d'un point Q(s,f) de ladite courbe 
elliptique ; 

= un moyen de calcul de courbe elliptique (ECC) pour effectuer sur ledit point Q(s,f) un calcul de 
courbe elliptique 

P(u,v) = d ■ Q(s,r) 

pour calcuier un point P(u f v) de ladite courbe elliptique dont les coordonnees sont une paire de 
nombres entiers (u,v) representatifs d'une signature encryptee correspondant audit nombre en- 
tier x;et 

= des moyens de transmission (TR) pour transmettre ladite paire de nombres entiers (u, v) en vue 
de sa reception en une station de decryptage de signature (B) ; 
de sorte que la station d'encryptage de signature est capable de generer et de transmettre a une station 
de decryptage de signature correspondante une signature qui permet la verification de son authenticite 
a la station de decryptage de signature. (Fig. 1) 

10. Systeme de cryptographie selon la revendication 1, dans lequel 

• ta station d'encryptage est une station d'encryptage de signature (A), 

. le generateur de trappe (TG) comprend en outre des moyens pour transferer au moins lesdits mul- 
tiplicite r de nombres premiers distincts a. module m, paire de nombres entiers (a,b) et multiplicateur 
secret d a la station d'encryptage de signature, et 
■ la station d'encryptage de signature comprend 

= des moyens d'entree destines a recevoir au moins lesdits multiplicite r de nombres premiers dis- 
tincts a. module m, paire de nombres entiers (a,b) et multiplicateur secret o\ et en outre pour re- 
cevoir I'entree d'un nombre entierxsoumis aux conditions predeterminees prevues comme consi- 
gne initiale dans toutes les stations du systeme de cryptographie ; 
= un moyen de memorisation pour au moins lesdits multiplicite r de distinct nombres premiers a, 

module m, paire de nombres entiers (a,b), multiplicateur secret d et nombre entier x entres ; 
= un moyen de conversion de message en courbe elliptique (ME) pour calcuier a partir dudit nombre 
entier x une paire de nombres entiers (s ? f) telle que 
= ledit nombre entier s satisfait a une relation predeterminee avec ledit nombre entier x, laquelle 
relation est prevue comme consigne initiale dans toutes les stations du systeme de crypto- 
graphie, et 

= ladite paire de nombres entiers (s.f) satisfait a la condition 
pss 3 + as + b (mod m) 
de sorte que lesdits nombres entiers (s,f) sont representatifs d'un point Q(s,r) de ladite courbe 
elliptique ; 

= un moyen de calcul de courbe elliptique (ECC) pour effectuer sur ledit point Q(s,f) un calcul de 
courbe elliptique 

P(u,v) = d-Q(s,r) 

pour calcuier un point P(u,v) de ladite courbe elliptique dont les coordonnees sont une paire de 
nombres entiers (u,v) representatifs d'une signature encryptee correspondant audit nombre en- 
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tier x ; et 

= des moyens de transmission (TR) pour transmettre ladite paire de nombres entiers (u,v) en vue 
de sa reception en une station de decryptage de signature (B) ; 
de sorte que la station d'encryptage de signature est capable de generer et de transmettre a une station 
de decryptage de signature correspondante un signature qui permet la verification de son authenticity a 
la station de decryptage de signature. (Fig. 1) 

11. Systeme de cryptographie selon une quelconque des revendications 7 to 10, dans lequel ledit moyen de 
conversion de message en courbe elliptique (ME) comprend 

= des moyens pour calculer ledit nombre entier s a partir dudit nombre entier x en assignant audit nom- 
bre entier s la plus petite valeur qui satisfait a la condition 

et pour laquelle I'expression 

s 3 + a s + b (mod m) 
a pour resultat un residu (mod m) quadratique ; et 
= des moyens pour calculer ledit nombre entier f comme racine carree (mod m) dudit residu quadratioue 
(mod m). 

12. Systeme de cryptographie selon une quelconque des revendications 7 to 10, dans lequel ledit nombre 
entier x est s6lectionn6 de facon a presenter une redondance inherente pred6terminee. 

13. Systeme de cryptographie selon la revendication 11, dans lequel ledit nombre entier x est selectionne de 
facon telle que sa representation binaire comporte un nombre predetermine de bits les moins signif icatifs 
qui ont tous une meme valeur binaire. 

14. Systeme de cryptographie selon une quelconque des revendications 7 to 10, dans lequel la station de 
decryptage est une station de decryptage de signature (B) qui comprend 

= des moyens de reception (RC) pour recevoir ladite paire de nombres entiers (i/,v) representatifs 
d'une signature encryptee correspondant audit nombre entier x ; 

= des moyens pour interroger un annuaire public (PD) pour en recevoir le transfert d'au moins lesdits 
module m, paire de nombres entiers {a,b) et multiplicateur public e ; 

= un moyen de memorisation pour au moins lesdits module m, paire de nombres entiers (a,o) et mul- 
tiplicateur public e transferes ; 

= un moyen de calcul de courbe elliptique (ECC) pour effectuer, sur ledit point F\u,v) de ladite courbe 
elliptique dont les coordonnees sont ladite paire de nombres entiers (u, v), un calcul de courbe ellip- 
tique 

O(s,0 = e • P(t/,v) 

pourcalculer un point Q(s,f) de ladite courbe elliptique dont les coordonnees sont ladite paire de nom- 
bres entiers {s,f) ; et 
= un moyen d'authentification comprenant 

= des moyens (EM) pour calculer une signature decryptee a partir d'au moins ledit nombre entier 
s en consideration de ladite relation predetermine entre ledit nombre entier s et ledit nombre 
entier x, et 

= des moyens (VM) pour determiner si ladite signature decryptee satisfait auxdites conditions pre- 
determined auxquelles ie nombre entier x est soumis, auquel cas ladite signature decryptee est 
prouvee comme authentique ; 
de sorte que la station de decryptage de signature est capable de decrypter et d'authentif ier une signa- 
ture encryptee recue de la station d'encryptage de signature correspondante (A). (Fig. 1) 

15. Systeme de cryptographie selon une quelconque des revendications 7 to 10, dans lequel la station de 
decryptage est une station de decryptage de signature (B) qui comprend 

= des moyens de reception (RC) pour recevoir ladite paire de nombres entiers (w,v) representatifs 
d'une signature encryptee correspondant audit nombre entier x ; 

= des moyens d'entree destines a recevoir au moins lesdits module m, paire de nombres entiers (a,6) 
et multiplicateur public e transferes dudit generateur de trappe par lesdits moyens de transfert ; 

= un moyen de memorisation pour au moins lesdits module m, paire de nombres entiers (a,b) et mul- 
tiplicateur public e transferes ; 

= un moyen de calcul de courbe elliptique (ECC) pour effectuer, sur ledit point P(u, v) de ladite courbe 
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elliptique dont les coordonnees sont ladite paire de nombres entiers (t/,v). un calcul de courbe ellip- 
tique 

Q(s,0 = e • P(u,v) 

pourcalculerun point Q(s,f) de ladite courbe elliptique dont les coordonnees sont ladite paire de nom- 
bres entiers (s,f) ; et 
= un moyen d'authentif ication comprenant 

= des moyens (EM) pour calculer une signature decryptee a partir d'au moins ledit nombre entier 
s en consideration de ladite relation predeterminee entre ledit nombre entier s et ledit nombre 
entier x, et 

= des moyens (VM) pour determiner si ladite signature decryptee satisfait auxdites conditions pre- 
determinees auxquelles le nombre entier x est soumis, auquel cas ladite signature decryptee est 
prouvee comme authentique ; 
de sorte que la station de decryptage de signature est capable de decrypter et d'authentif ier une signa- 
ture encryptee recue de la station d'encryptage de signature correspondante (A). (Fig. 1) 

16. Systeme de cryptographie conformement aux revendications 13 et 14, dans lequel ledit moyen d'authen- 
tif ication comprend des moyens pour determiner si chacun des t bits les moins signif icatifs du nombre 
entier s ont une seule et meme valeur binaire predeterminee. 

17. Systeme de cryptographie selon la revendication 2, dans lequel la station d'encryptage est une station 
d'encryptage de signature qui comprend 

= ledit generateur de trappe ; 

= des moyens pour selectionner une paire de nombres entiers (x,y) satisfaisant aux conditions 0 ^ x 
< m et 0 ^ y < m et en outre soumis aux conditions predeterminees prevues comme consigne initiale 
dans toutes les stations du systeme de cryptographie ; 

= des moyens pour calculer un nombre entier a conformement a une equation 

a = [{y 2 f x) - x 2 ] (mod m) 
dans le cas ou la valeur / = 4 a ete seiectionnee et conformement a une equation a = 0 dans le cas 
ou la valeur j = 3 a ete seiectionnee pour ledit nombre entier / au generateur de trappe, auquel dernier 
cas on peut en pratique se passer des moyens pour calculer un nombre entier a ; 

= un moyen de calcul de courbe elliptique pour effectuer, en un point P(x,y) d'une courbe elliptique qui 
est representatif desdits nombres entiers (x,y), un calcul de courbe elliptique 

Q{w,z) = d • P(x,y) 

en utilisant la valeur du nombre entier a calculee dans lesdits moyens de calcul pour calculer un point 
Q(w,z) de ladite courbe elliptique dont les coordonnees sont une paire de nombres entiers (v/,z) re- 
presentatifs d'une signature encryptee correspondant a ladite paire de nombres entiers (x f y) ; et 
= des moyens de transmission pour transmettre ladite paire de nombres entiers (w t z) en vue de sa 
reception en une station de decryptage de signature ; 
de sorte que la station d'encryptage de signature est capable de generer et de transmettre a une station 
de decryptage de signature correspondante une signature qui permet la verification de son authenticity 
a la station de decryptage de signature. 

18. Systeme de cryptographie selon la revendication 2, dans lequel la station d'encryptage est une station 
d'encryptage de signature qui comprend 

= ledit generateur de trappe ; 

= des moyens d'entree destines a recevoir une paire de nombres entiers (x,y) satisfaisant aux condi- 
tions 0^x<met0^y<meten outre soumis aux conditions predeterminees prevues comme consi- 
gne initiate dans toutes les stations du systeme de cryptographie ; 

= un moyen de memorisation pour ladite paire de nombres entiers (x.y) entres 

= des moyens pour calculer un nombre entier a conformement a une equation 

a s [(y2/x) - x2](modm) 
dans le cas ou la valeur ; = 4 a ete seiectionnee et conformement a une equation a = 0 dans le cas 
ou la valeur/ = 3 a ete seiectionnee pour ledit nombre entier/ au generateur de trappe, auquel dernier 
cas on peut en pratique se passer des moyens pour calculer un nombre entier a ; 

= un moyen de calcul de courbe elliptique pour effectuer, en un point P(x,y) d'une courbe elliptique qui 
est representatif desdits nombres entiers (x,y), un calcul de courbe elliptique 

O(w.z) = d • P(x,y) 

en utilisant la valeur du nombre entier a calculee dans lesdits moyens de calcul pour calculer un point 
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Q{w,z) de ladite courbe eliiptique dont les coordonnees sont une paire de nombres entiers (iv,z) re- 
presentatifs d'une signature encryptee correspondant a iadite paire de nombres entiers (x,y) ; et 
= des moyens de transmission pour transmettre ladite paire de nombres entiers (w,z) en vue de sa 
reception en une station de decrypts ge de signature ; 
5 de sorte que la station d'encryptage de signature est capable de generer et de transmettre a une station 

de decryptage de signature correspond ante une signature qui permet la verification de son authenticate 
a la station de decryptage de signature. 

19. Systeme de cryptograph ie selon la revendication 2, dans lequel 
10 • la station d'encryptage est une station d'encryptage de signature, 

- Ie generateur de trappe comprend en outre des moyens pour transferer au mo ins lesdits multiplicite 
r de nombres premiers distincts p u module m et multiplicateur secret d a la station d'encryptage de 
signature, et 

• la station d'encryptage de signature comprend 

15 = des moyens d'entree destines a recevoir au moins lesdits multiplicite rde nombres premiers dis- 

tincts a* module m et multiplicateur secret d ; 
= un moyen de memorisation pour au moins lesdits multiplicite rde nombres premiers distincts p,, 

module m et multiplicateur secret d entres ; 
= des moyens pour selectionner une paire de nombres entiers (x,y) satisfaisant aux conditions 0 
20 ^ x < m et 0 ^ y < m eten outre sou mis aux conditions predeterminees prevues com me consigne 

initiate dans toutes les stations du systeme de cryptographie ; 
= des moyens pour calculer un nombre entier a conformement a une equation 

a = [(y*/x) - x2](modm) 
dans Ie cas ou la valeur j = 4 a ete selectionnee et conformement a une equation a = 0 dans Ie 
25 cas ou la valeur j = 3 a ete selectionnee pour ledit nombre entier j au generateur de trappe, auquel 

dernier cas on peut en pratique se passer des moyens pour calculer un nombre entier a ; 
= un moyen de calcul de courbe eliiptique pour effectuer, en un point P(x,y) d'une courbe eliiptique 
qui est representatif desdits nombres entiers (x,y), un calcul de courbe eliiptique 

Q(w t z) = dP(x,y) 

30 en utilisant la valeur du nombre entier a calculee dans lesdits moyens de calcul pour calculer un 

point Q(w,z) de ladite courbe eliiptique dont les coordonnees sont une paire de nombres entiers 
(w,z) representatifs d'une signature encryptee correspondant a ladite paire de nombres entiers 
(*,y) ; et 

= des moyens de transmission pour transmettre ladite paire de nombres entiers (w,z) en vue de 
35 sa reception en une station de decryptage de signature ; 

de sorte que la station d'encryptage de signature est capable de generer et de transmettre a une station 
de decryptage de signature correspond ants une signature qui permet la verification de son authenticate 
a la station de decryptage de signature. 

40 20. Systeme de cryptographie selon la revendication 2, dans lequel 

• la station d'encryptage est une station d'encryptage de signature, 

- Ie generateur de trappe comprend en outre des moyens pour transferer au moins lesdits multiplicite 
r de nombres premiers distincts p !f module m et multiplicateur secret d a la station d'encryptage de 
signature, et 

45 • la station d'encryptage de signature comprend 

= des moyens d'entree destines a recevoir au moins lesdits multiplicite rde nombres premiers dis- 
tincts p|, module m et multiplicateur secret d, et en outre pour recevoir I'entree d'une paire de 
nombres entiers (x,y) satisfaisant aux conditions 0 ^ x < m et 0 ^ y < m et en outre soumis aux 
conditions predeterminees prevues comme consigne initiate dans toutes les stations du systeme 
50 de cryptographie ; 

= un moyen de memorisation pour au moins lesdits multiplicite rde nombres premiers distincts p ( , 

module m, multiplicateur secret d et paire de nombres entiers (x,y) entres ; 
= des moyens pour calculer un nombre entier a conformement a une equation 

as[(y2/x) - x 2 ](modm) 

55 dans Ie cas ou la valeur j = 4 a ete selectionnee et conformement a une equation a = 0 dans Ie 

cas ou la valeur ; = 3 a ete selectionnee pour ledit nombre entier j au generateur de trappe, auquel 
dernier cas on peut en pratique se passer des moyens pour calculer un nombre entier a ; 
= un moyen de calcul de courbe eliiptique pour effectuer, en un point P(x,y) d'une courbe eliiptique 
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qui est represented desdits nombres entiers (x,y), un calcul de courbe elliptique 

0(iv,z) = d-P(x,y) 

en utilisant la valeur du nombre entier a calculee dans lesdits moyens de calcul pour calculer un 
point Q(w,z) de ladite courbe elliptique dont les coordonnees sont une paire de nombres entiers 
(w,z) representatifs d'une signature encryptee correspondant a ladite paire de nombres entiers 
<*.y) ; et 

= des moyens de transmission pour transmettre ladite paire de nombres entiers {w,z) en vue de 
sa reception en une station de decry ptage de signature ; 
de sorte que la station d'encryptage de signature est capable de generer et de transmettre a une station 
de decryptage de signature correspondante une signature qui permet la verification de son authenticite 
a la station de decryptage de signature. 

21. Systeme de cryptographie selon la revendication 5 et une quelconque des revendications 17 a 20, dans 
iequel la station de decryptage est une station de decryptage de signature qui comprend 

= des moyens pour interroger un annuaire public pouren recevoirle transfert d'au moins lesdits module 
m et multiplicateur public e ; 

= un moyen de memorisation pour au moins lesdits module m et multiplicateur public e transferes ; 

= des moyens de reception pour recevoir ladite paire de nombres entiers (w t z) representatifs d'un mes- 
sage encrypts correspondant a ladite paire de nombres entiers (x,y) ; 

= des moyens pour calculer un nombre entier a conformGment a une equation 

a = [(z 2 /w) - w 2 ] (mod m) 
dans le cas ou la valeur / = 4 a et6 selectionnee et conformement a une equation a = 0 dans le cas 
ou la valeur / = 3 a ete selectionnee pourledit nombre entier/au generateurde trappe, auquel dernier 
cas on peut en pratique se passer des moyens pour calculer un nombre entier a ; 

= un moyen de calcul de courbe elliptique pour effectuer, en un point Q(w,z) de ladite courbe elliptique 
dont les coordonn6es sont ladite paire de nombres entiers (w,z), un calcul de courbe elliptique 

P(x,y) = e-Q(w,z) 

en utilisant la valeur du nombre entier a calculee dans lesdits moyens de calcul pour calculer un point 
P(x,y) de ladite courbe elliptique dont les coordonnees sont ladite paire de nombres entiers (x,y) re- 
presentatifs d'un message decrypte ; et 
= un moyen d'authentif ication pour d6terminer si ledit moyen de calcul de courbe elliptique a calcule 
avec succes une paire de nombres entiers (x,y) satisfaisant aux conditions predeterminees prevues 
comme consigne initiale dans toutes les stations du systeme de cryptographie ; 
de sorte que la station de decryptage de signature est capable de decrypter et d'authentif ier une signa- 
ture encryptee recue de la station d'encryptage de signature correspondante. 

22. Systeme de cryptographie selon la revendication 5 et une quelconque des revendications 17 a 20, dans 
Iequel la station de decryptage est une station de decryptage de signature qui comprend 

= des moyens d'entree destines a recevoir au moins lesdits module m et multiplicateur public e trans- 
feres dudit generateur de trappe par lesdits moyens de transfert ; 

= un moyen de memorisation pour au moins lesdits module m et multiplicateur public e transferes 

= des moyens de reception pour recevoir ladite paire de nombres entiers (w,z) representatifs d'un mes- 
sage encrypte correspondant a ladite paire de nombres entiers (x,y) ; 

= des moyens pour calculer un nombre entier a conform6ment a une equation 

as[(z 2 /w) - w 2 ] (mod m) 
dans le cas ou la valeur / = 4a ete selectionnee et conformement a une equation a = 0 dans le cas 
ou la valeury= 3 a ete selectionn6e pourledit nombre entier/au generateurde trappe, auquel dernier 
cas on peut en pratique se passer des moyens pour calculer un nombre entier a ; 

= un moyen de calcul de courbe elliptique pour effectuer, en un point Q(w,z) de ladite courbe elliptique 
dont les coordonnees sont ladite paire de nombres entiers (w t z), un calcul de courbe elliptique 

P(x.y) = e * Q{w t z) 

en utilisant la valeur du nombre entier a calculee dans lesdits moyens de calcul pour calculer un point 
P{x,y) de ladite courbe elliptique dont les coordonnees sont ladite paire de nombres entiers (x,y) re- 
presentatifs d'un message decrypte ; et 
= un moyen d'authentif ication pour determiner si ledit moyen de calcul de courbe elliptique a calcule 
avec succes une paire de nombres entiers (x,y) satisfaisant aux conditions predeterminees prevues 
comme consigne initiale dans toutes les stations du systeme de cryptographie ; 
de sorte que la station de decryptage de signature est capable de decrypter et d'authentif ier une signa- 
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ture encryptee recue de la station d'encryptage de signature correspondante. 

23. Systems de cryptographie selon ia revendication 6 et une quelconque des revendications 17 a 20, dans 
lequel la station de decryptage est une station de decryptage de signature qui comprend 

5 = des moyens pour interroger un annuaire public pouren recevoirle transfert d'au moins lesdits module 

m, multipiicateur public e et nombre entier j ; 
= un moyen de memorisation pour au moins lesdits module m, multipiicateur public e et nombre entier 
j transferes ; 

= des moyens de reception pour recevoir iadite paire de nombres entiers (w,z) representatife d'un mes- 
10 sage encrypte correspondant a Iadite paire de nombres entiers (x,y) ; 

= des moyens pour calculer un nombre entier a conformement a une equation 

as[(z 2 / w) - iv 2 ] (mod m) 
dans le cas ou la valeur ; = 4 a ete s6lectionn6e et conformement a une equation a = 0 dans le cas 
oCi la valeur; = 3 a ete selection nee pour ledit nombre entier j au generateurde trappe, auquel dernier 
15 cas on peut en pratique se passer des moyens pour calculer un nombre entier a ; 

= un moyen de caicul de courbe elliptique pour effectuer, en un point Q{w f z) de Iadite courbe elliptique 
dont les coord on nees sont Iadite paire de nombres entiers (w,z), un caicul de courbe elliptique 

P{x t y) = e • 0(v/ f z) 

en utilisant la valeur du nombre entier a calcuiee dans lesdits moyens de caicul pour calculer un point 
20 P(x,y) de Iadite courbe elliptique dont les coordonnees sont Iadite paire de nombres entiers (x,y) re~ 

presentatifs d'un message decry pte ; et 
= un moyen d'authentificatlon pour determiner si ledit moyen de caicul de courbe elliptique a calcuie 
avec succes une paire de nombres entiers (x,y) satisfaisant aux conditions predetermines prevues 
comme consigne initiate dans toutes les stations du systeme de cryptographie ; 
25 de sorte que la station de decryptage de signature est capable de decry pter et d'authentifier une signa- 

ture encryptee recue de la station d'encryptage de signature correspondante. 

24. Systeme de cryptographie selon la revendication 6 et une quelconque des revendications 17 a 20, dans 
lequel la station de decryptage est une station de decryptage de signature qui comprend 

30 - des moyens d'entree destines a recevoir au moins lesdits module m, multipiicateur public e et nombre 

entier j transferes dud it generateur de trappe par lesdits moyens de transfert ; 
= un moyen de memorisation pour au moins lesdits module m, multipiicateur public e et nombre entier 
j transferes ; 

= des moyens de reception pour recevoir Iadite paire de nombres entiers (w,z) repr£sentatifs d'un mes- 
35 sage encrypte correspondant a Iadite paire de nombres entiers (x,y) ; 

= des moyens pour calculer un nombre entier a conformement a une equation 

a - [ (z 2 / w ) - w 2 ] (mod m) 
dans le cas ou la valeur; = 4 a et6 selectionnee et conformement a une equation a = 0 dans le cas 
ou la valeur; = 3 a ete selectionnee pour ledit nombre entier; au generateurde trappe, auquel dernier 
40 cas on peut en pratique se passer des moyens pour calculer un nombre entier a ; 

= un moyen de caicul de courbe elliptique pour effectuer, en un point Q(w,z) de Iadite courbe elliptique 
dont les coordonnees sont Iadite paire de nombres entiers (w,z), un caicul de courbe elliptique 

P(x,y) = e • Q(w,z) 

en utilisant la valeur du nombre entier a calcuiee dans lesdits moyens de caicul pour calculer un point 
45 P{x,y) de Iadite courbe elliptique dont les coordonnees sont Iadite paire de nombres entiers (x.y) re- 

presentatifs d'un message decrypte ; et 
= un moyen d'authentif ication pour determiner si ledit moyen de caicul de courbe elliptique a calcuie 
avec succes une paire de nombres entiers (x t y) satisfaisant aux conditions pred&erminees prevues 
comme consigne initial e dans toutes les stations du systeme de cryptographie ; 
50 de sorte que la station de decryptage de signature est capable de decrypter et d'authentifier une signa- 

ture encrypt6e recue de la station d'encryptage de signature correspondante. 

25. Systeme de cryptographie conformement aux revendications 3 et 5, dans lequel ia station d'encryptage 
est une station d'encryptage de message (B) qui comprend 

55 = des moyens pour interroger un annuaire public pour en recevoir le transfert d'au moins lesdits module 

m et multipiicateur public e ; 
= un moyen de memorisation pour au moins lesdits module m et multipiicateur public e transferes ; 
= des moyens d'entr6e destines a recevoir une paire de nombres entiers (x,y) repr6sentatifs d'un mes- 
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sage, satisfaisant aux conditions 0^x<met0^y<m; 
= des moyens pour calculer un nombre entier a conformement a une equation 

ae[(y*/x) - x 2 l(modm) 
dans le cas ou la valeur y = 4 a ete selection nee et conformement a une equation a = 0 dans le cas 
ou la valeury = 3 a ete selectionnee pour ledit nombre entiery au generateur de trappe, auquel dernier 
cas on peut en pratique se passer des moyens pour calculer un nombre entier a ; 
= un moyen de calcul de courbe elliptique (ECC) pour effectuer, en un point P(x,y) d'une courbe ellip- 
tique qui est representatif desdits nombres entiers (x,y), un calcul de courbe elliptique 

Q{w f z) - e ■ P(x,y) 

en utilisant la valeur du nombre entier a calculee dans lesdits moyens de calcul pour calculer un point 
Q(w,z) de ladite courbe elliptique dont ies coord on nees sont une paire de nombres entiers (w,z) re- 
presentatifs d'un message encrypte correspondant a ladite paire de nombres entiers (x,y) ; et 
= des moyens de transmission (TR) pour transmettre ladite paire de nombres entiers (w,z) en vue de 
sa reception en une station de decryptage de message (A) ; 
de sorte que la station d'encryptage de message est capable d'encrypter et de transmettre un message 
qui permet son decryptage en une station de reception et decryptage de message. (Fig. 2) 

26. Systeme de cryptographie conformement aux revendications 4 et 5, dans lequel la station d'encryptage 
est une station d'encryptage de message (B) qui comprend 

= des moyens d'entree destines a recevoir au moins lesdits module m et multiplicateur public e trans- 
feres dud it generateur de trappe par lesdits moyens de transfert ; 

= un moyen de memorisation pour au moins lesdits module m et multiplicateur public e transferes ; 

= des moyens d'entree de message destines a recevoir une paire de nombres entiers (x,y) represen- 
tatifs d'un message, satisfaisant aux conditions 0^x<met0^y<m; 

= des moyens pour calculer un nombre entier a conformement a une equation 

as[(y2/x) - x 2 ](modm) 
dans le cas ou la valeur y = 4 a ete selectionnee et conformement a une equation a = 0 dans le cas 
ou la valeur j = 3 a ete selectionnee pour ledit nombre entier j au generateur de trappe, auquel dernier 
cas on peut en pratique se passer des moyens pour calculer un nombre entier a ; 

= un moyen de calcul de courbe elliptique (ECC) pour effectuer, en un point P(x,y) d'une courbe ellip- 
tique qui est representatif desdits nombres entiers (x.y), un calcul de courbe elliptique 

Q(w,z) = e • P(x,y) 

en utilisant la valeur du nombre entier a calculee dans lesdits moyens de calcul pour calculer un point 
Q(w,z) de ladite courbe elliptique dont Ies coordonnees sont une paire de nombres entiers (w,z) re- 
presentatifs d'un message encrypte correspondant a ladite paire de nombres entiers (x,y) ; et 
= des moyens de transmission (TR) pour transmettre ladite paire de nombres entiers (w,z) en vue de 
sa reception en une station de decryptage de message (A) ; 
de sorte que la station d'encryptage de message est capable d'encrypter et de transmettre un message 
qui permet son decryptage en une station de reception et decryptage de message. (Fig. 2) 

27. Systeme de cryptographie conformement aux revendications 3 et 6, dans lequel la station d'encryptage 
est une station d'encryptage de message (B) qui comprend 

= des moyens pourinterrogerun annuaire public pour en recevoir le transfert d'au moins lesdits module 

m, multiplicateur public e et nombre entier/ ; 
= un moyen de memorisation pour au moins lesdits module m, multiplicateur public e et nombre entier 

y transferes ; 

= des moyens d'entree de message destines a recevoir une paire de nombres entiers (x,y) represen- 
tatifs d'un message, satisfaisant aux conditions 0^x<met0^y</n; 

= des moyens pour calculer un nombre entier a conformement a une equation 

a = [(y*/x) - x2 ] (mod m) 
dans le cas ou la valeur / = 4 a ete selectionnee et conformement a une equation a = 0 dans le cas 
ou la valeury = 3 a ete selectionnee pour ledit nombre entier y au generateur de trappe, auquel dernier 
cas on peut en pratique se passer des moyens pour calculer un nombre entier a ; 

= un moyen de calcul de courbe elliptique (ECC) pour effectuer, en un point P(x,y) d'une courbe ellip- 
tique qui est representatif desdits nombres entiers (x,y), un calcul de courbe elliptique 

Q(iv,z) = e • P(x,y) 

en utilisant la valeur du nombre entier a calculee dans lesdits moyens de calcul pour calculer un point 
Q(w,z) de ladite courbe elliptique dont Ies coordonnees sont une paire de nombres entiers (w,z) re- 
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presentatifs d'un message encrypte correspondant a ladite paire de nombres entiers (x,y) ; et 
= des moyens de transmission (TR) pour transmettre ladite paire de nombres entiers (w,z) en vue de 
sa reception en une station de decryptage de message (A) ; 
de sorte que la station d'encryptage de message est capable d'encrypter et de transmettre un message 
5 qui permet son decryptage en une station de reception et decryptage de message. (Fig. 2) 

28. Systeme de cryptographie conformement aux revendications 4 et 6, dans lequel la station d'encryptage 
est une station d'encryptage de message (B) qui comprend 

= des moyens d'entree destines a recevoir au moins ledit module m, multipiicateur public e et nombre 
10 entier ; transferes dudit generateur de trappe par iesdits moyens de transfert ; 

= un moyen de memorisation pour au moins Iesdits module m, multipiicateur public e et nombre entier 
; transferes ; 

= des moyens d'entree de message destines a recevoir une paire de nombres entiers (x,y) represen- 
tatifs d'un message, satisfaisant aux conditions 0^x<met0^y<m; 
15 = des moyens pour calculer un nombre entier a conformement a une equation 

ae[(y*/x) - x 2 ] (mod m) 
dans le cas ou la valeur j = 4 a ete selectionnee et conformement a une equation a-0 dans le cas 
ou la valeur; = 3 a ete selectionnee pour ledit nombre entier/ au generateur de trappe, auque! dernier 
cas on peut en pratique se passer des moyens pour calculer un nombre entier a ; 
20 = un moyen de calcul de courbe elliptique (ECC) pour effectuer, en un point P(x,y) d'une courbe ellip- 

tique qui est representatif desdits nombres entiers (x,y), un calcul de courbe elliptique 

Q(iy,z) = e • P(x,y) 

en utilisant la valeur du nombre entier a calculee dans Iesdits moyens de calcul pour calculer un point 
Q(w,z) de ladite courbe elliptique dont les coordonnees sont une paire de nombres entiers <tv,z) re- 
25 presentatifs d'un message encrypte correspondant a ladite paire de nombres entiers (x,y) ; et 

= des moyens de transmission (TR) pour transmettre ladite paire de nombres entiers (w,z) en vue de 
sa reception en une station de decryptage de message (A) ; 
de sorte que la station d'encryptage de message est capable d'encrypter et de transmettre un message 
qui permet son decryptage en une station de reception et decryptage de message. (Fig. 2) 

30 

29. Systeme de cryptographie selon la revendication 2 et une quelconque des revendications 25 a 28, dans 
lequel la station de decryptage est une station de decryptage de message qui comprend 

= ledit generateur de trappe ; 

= des moyens de reception pour recevoir ladite paire de nombres entiers (w,z) re presentatifs d'un mes- 
35 sage encrypte correspondant a ladite paire de nombres entiers (x,y) ; 

= des moyens pour calculer un nombre entier a conformement a une equation 

a = [{z 2 /w) - w 1 ] (mod m) 
dans le cas ou la valeur / = 4 a ete selectionnee et conformement a une equation a = 0 dans le cas 
ou la valeur; = 3 a ete selectionnee pour ledit nombre entier; au generateur de trappe, auquel dernier 
40 cas on peut en pratique se passer des moyens pour calculer un nombre entier a ; et 

= un moyen de calcul de courbe elliptique pour effectuer, en un point Q(tv,z) de ladite courbe elliptique 
dont les coordonnees sont ladite paire de nombres entiers (w,z), un calcul de courbe elliptique 

P(x,y) = d-Q(w,z) 

en utilisant la valeur du nombre entier a calculee dans Iesdits moyens de calcul pour calculer un point 
45 P(x,y) de ladite courbe elliptique dont les coordonnees sont ladite paire de nombres entiers (x,y) re- 

presentatifs d'un message decrypte ; 
de sorte que la station de decryptage de message est capable de recevoir et de decrypter un message. 



30. Systeme de cryptographie selon la revendication 5 et une quelconque des revendications 25 a 28, dans 
so lequel 

. la station de decryptage est une station de decryptage de message, 

• le generateur de trappe comprend en outre des moyens pour transferer au moins Iesdits module m 
et multipiicateur secret da la station de decryptage de message, et 

• la station de decryptage de message comprend 

55 = des moyens d'entree destines a recevoir au moins Iesdits module m et multipiicateur secret d ; 

= un moyen de memorisation pour au moins Iesdits module m et multipiicateur secret d entres ; 
= des moyens de reception pour recevoir ladite paire de nombres entiers (w,z) representatife d'un 
message encrypte correspondant a ladite paire de nombres entiers (x,y) ; 
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= des moyens pour calcuier un nombre entier a conformement a une Equation 
a s [ ( z 2 / w ) - w 2 ] (mod m) 
dans le cas ou la valeur j = 4 a ete selectionnee et conformement a une equation a = 0 dans le 
cas ou ta valeur ; = 3 a ete selectionnee pour ledit nombre entier/au generateur de trappe, auquel 
dernier cas on peut en pratique se passer des moyens pour calcuier un nombre entier a ; et 

= un moyen de calcul de courbe elliptique pour effectuer, en un point Q(w,z) de ladite courbe ellip- 
tique dont les coordonnees sont ladite paire de nombres entiers (w.z), un calcul de courbe ellip- 
tique 

P(x,y) = d • Q(w t z) 

en utilisant la valeur du nombre entier a calculee dans lesdits moyens de calcul pour calcuier un 
point P(x,y) de ladite courbe elliptique dont les coordonnees sont ladite paire de nombres entiers 
(x.y) representatifs d'un message decrypte ; 
de sorte que la station de decryptage de message est capable de recevoir et de decrypter un message. 

31. Systeme de cryptographie selon la revendication 6 et une quelconque des revendications 25 a 28, dans 
lequei 

• la station de decryptage est une station de decryptage de message, 

• le generateur de trappe comprend en outre des moyens pour transferer au moins lesdits module m, 
multiplicateur secret d et nombre entier / a la station de decryptage de message, et 

• la station de decryptage de message comprend 

= des moyens d'entree destines a recevoir au moins lesdits module m, multiplicateur secret d et 
nombre entier / ; 

= un moyen de memorisation pour au moins lesdits module m, multiplicateur secret d et nombre 
entier j entres ; 

= des moyens de reception pour recevoir ladite paire de nombres entiers (w,z) representatifs d'un 
message encrypte correspondant a ladite paire de nombres entiers (x,y) ; 

= des moyens pour calcuier un nombre entier a conformement a une equation 
a = [ ( z 2 / w ) - w 2 ] (mod m) 
dans le cas ou la valeur / = 4 a ete selectionnee et conformement a une equation a = 0 dans le 
cas ou fa valeur j = 3 a ete selectionnee pour ledit nombre entier/au generateur de trappe, auquel 
dernier cas on peut en pratique se passer des moyens pour calcuier un nombre entier a ; et 

= un moyen de calcul de courbe elliptique pour effectuer, en un point Q(w t z) de ladite courbe ellip- 
tique dont les coordonnees sont ladite paire de nombres entiers (w,z), un calcul de courbe ellip- 
tique 

P(x,y) = dQ(w,z) 

en utilisant la valeur du nombre entier a calculee dans lesdits moyens de calcul pour calcuier un 
point P(x,y) de ladite courbe elliptique dont les coordonnees sont ladite paire de nombres entiers 
(x,y) representatifs d'un message decrypte ; 
de sorte que la station de decryptage de message est capable de recevoir et de decrypter un message. 

32. Systeme de cryptographie selon la revendication 2, en outre comprenant 

= un dispositif d'autorite de confiance (TA) pour emettre des donnees qui permettent I'identif ication 
d'une station du systeme de cryptographie ; et 

= au moins un dispositif ^identification (ID) inclus dans une station du systeme de cryptographie et 
muni d'un moyen de memorisation (SM) pour lesdites donn6es permettant I'identif ication ; 

= au moins un dispositif de verification (VD) inclus dans une autre station du systeme de cryptographie 
et apte a cooperer avec ledit dispositif d' identification ; 
• ledit dispositif d'autorite de confiance etant muni dudit generateur de trappe et comprenant en outre 

= des moyens pour selectionner une chaTne / de donn6es d'identif ication representative de facon uni- 
que d'une identite d'un requ6rant pour ledit dispositif d'identif ication ; 

= des moyens pour selectionner une fonction f qui assigne a chacune desdites chaTnes / uniques une 
paire de nombres entiers (x,y) respective unique satisfaisant aux conditions 0^x<met0^y<m, 
de sorte que lesdits nombres entiers (x,y) sont representatifs d'un point P(x,y) = f{Q d'une courbe 
elliptique ; 

= un moyen de calcul de courbe elliptique (ECC) pour effectuer sur ledit point P(x,y) un calcul de courbe 
elliptique 

Q(s,f) = dP{x,y) 

pour calcuier un point Q(s,0 de ladite courbe elliptique dont les coordonnees sont une paire de nom- 
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bres entiers (s,f) representatifs d'une chaTne encryptee correspondant a iadite chatne / de donnees 
^identification ; et 

= des moyens de transfert (TR) pour transferer au moins lesdits chaTne / de donnees d'identif ication, 
module m, multiplicateur public e, paire de nombres entiers (x,y) et paire de nombres entiers (s,f) 
5 audit moyen de memorisation (SM) dudit dispositif d'identif ication pour y etre memorises. (Fig. 3) 

33. Systeme de cryptographie selon la revendication 32, dans lequel Iadite fonction rest prevue comme consi- 
gns initiale dans toutes les stations du systeme de cryptographie. 

10 34. Systeme de cryptographie selon la revendication 32, dans lequel lesdites donnees transferees par lesdits 
moyens de transfert comprennent aussi Iadite fonction f. 

35. Systeme de cryptographie selon la revendication 33, dans lequel 
• ledit dispositif d'identif ication (ID) comprend 
15 = des moyens pour calculer un nombre entier a conformement a une equation 

as|(y 2 /x) - x 2 ] (mod m) 
dans le cas ou la valeur; = 4 a ete selection nee et conformement a une equation a = 0 dans le 
cas oCi la valeury = 3 a ete selectionnee pour ledit nombre entier j au generateur de trappe, auquel 
dernier cas on peut en pratique se passer des moyens pour calculer un nombre entier a ; 
20 = des moyens (RIG) pour selection ner un nombre entier aleatoire r satisfaisant aux conditions 0 ^ 

/ou I est un nombre entier prevu comme consigne initiale dans le dispositif d'identif ication et 
satisfaisant aux conditions / < m ; 
= un moyen de calcul de courbe elliptique (ECC) pour effectuer, sur ledit point P(u,v) de Iadite cour- 
be elliptique dont les coordonnees sont Iadite paire de nombres entiers {u,v), un calcul de courbe 
25 elliptique 

U(u x ,u y ) = r-P(x,y) 

pour calculer un point U(u x ,u y ) de Iadite courbe elliptique dont les coordonnees sont une paire de 
nombres entiers {u x ,u y ) ; 

= un moyen de calcul de courbe elliptique (ECC) pour effectuer, sur ledit point U(u xt u y ) de Iadite 
30 courbe elliptique dont les coordonnees sont Iadite paire de nombres entiers (u x ,u y ) f un calcul de 

courbe elliptique 

V{v Xl v y ) = e • U{u x ,u y ) 

pour calculer un point V(v x ,v y ) de Iadite courbe elliptique dont les coordonnees sont une paire de 
nombres entiers (v x ,v y ) ; 

35 = des moyens de transmission (TR) pour transmettre lesdites chaTne / de donnees d'identif ication 

et paire de nombres entiers {v x ,v y ) en vue de leur reception a Iadite autre station qui inclut ledit 
dispositif de verification (VD) ; 
= des moyens de reception (RC) pour recevoir un nombre entier k en tant que def i de Iadite autre 
station qui inclut ledit dispositif de verification ; 

40 = un moyen de calcul de courbe elliptique (ECC) pour effectuer, sur ledit point Q(s,Q de Iadite courbe 

elliptique dont les coordonnees sont Iadite paire de nombres entiers (s,Q, un calcul de courbe el- 
liptique 

W{w x ,w y ) = U(u„u y ) + k- Q(s,f) 
pour calculer un point W{w x ,w y ) de Iadite courbe elliptique dont les coordonnees sont une paire 
45 de nombres entiers (w x ,w y ) \ 

= des moyens de transmission (TR) pour transmettre Iadite paire de nombres entiers {w^Wy) en 
vue de sa reception a Iadite autre station qui inclut ledit dispositif de verification (VD) ; 

et 

■ ledit dispositif de verification (VD) comprend 
50 = des moyens pour calculer a partir de Iadite chaTne / de donnees d'identif ication conformement a 

Iadite fonction f Iadite paire de nombres entiers (x,y) representatifs d'un point P(x,y) = f{f) de Iadite 
courbe elliptique ; 

= des moyens (RIG) pour selection ner un nombre entier aleatoire k satisfaisant aux conditions 

Og/fg(e - 1 ); 

55 = des moyens de transmission (TR) pour transmettre en tant que def i ledit nombre entier aleatoire 

ken vue de sa reception a Iadite station qui inclut ledit dispositif d' identification ; 
= des moyens de reception (RC) pour recevoir de Iadite station qui inclut ledit dispositif d'identif i- 
cation (ID) Iadite paire de nombres entiers {w x ,w y ) en reponse audit defi ; 
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= un moyen de calcul de courbe elliptique (ECC) pour effectuer, sur (edit point Wty^Wy) de ladlte 
courbe elliptique dont les coordonnees sont ladite paire de nombres entiers (w^Wy), un calcul de 
courbe elliptique 

T,{U,U) = e . W[w~w y ) 

pour calculer un point T^t^U) de ladite courbe elliptique dont les coordonnees sont une paire 
de nombres entiers (t^h) * 
= un moyen de calcul de courbe elliptique (ECC) pour effectuer, sur ledit point W^wy) de ladite 
courbe elliptique dont les coordonnees sont ladite paire de nombres entiers (w^Wy). un calcul de 
courbe elliptique 

pour calculer un point ^(f^fe,) de ladite courbe elliptique dont les coordonnees sont une paire 

de nombres entiers fojty ; et 
= des moyens (CMP) pour comparer entre elles lesdites paires de nombres entiers (U^U) et (t^Ji) 

de facon a determiner si les deux conditions de test f 1jr = t 2x et f 1y = sont satisfies par lesdites 

paires de nombres entiers (U/\) et (f^y ; 
de sorte que le dispositif de verification est capable de determiner si un dispositif d'identif ication est ve- 
ritable. (Fig. 4) 

Systeme de cryptographic selon la revendication 34, dans lequel 

• ledit dispositif d'autorite de conf iance comprend en outre des moyens de transfert pour transferer 
ladite fonction fa un moyen de memorisation correspondent prevu dans ledit dispositif dev6rif ication 
pour y memoriser localement ladite fonction f dans ledit dispositif de verification ; 
- ledit dispositif d'identif ication comprend 

= des moyens pour calculer un nombre entier a conformement a une Equation 
a a [ ( y 2 / x ) - x 2 ] (mod m) 
dans le cas ou la valeur / = 4 a ete selectionnee et conformement a une equation a = 0 dans le 
cas ou la valeur j = 3 a ete selectionnee pour ledit nombre entier/ au generateur de trappe, auquel 
dernier cas on peut en pratique se passer des moyens pour calculer un nombre entier a ; 
= des moyens pour s6lectionner un nombre entier aleatoire r satisfaisant aux conditions 0 ^ r ^ 
m\ 

= un moyen de calcul de courbe elliptique pour effectuer, sur ledit point P(u, v) de ladite courbe el- 
liptique dont les coordonnees sont ladite paire de nombres entiers (u,v), un calcul de courbe el- 
liptique 

U(u„u y ) = r-P(x.y) 

pour calculer un point U(u x ,u y ) de ladite courbe elliptique dont les coordonn6es sont une paire de 
nombres entiers (u Xt u y ) ; 

= un moyen de calcul de courbe elliptique pour effectuer, sur ledit point U(u x ,u y ) de ladite courbe 
elliptique dont les coordonnees sont ladite paire de nombres entiers (t^Uy), un calcul de courbe 
elliptique 

V(v x ,v y ) = e * U(u„u y ) 

pour calculer un point V{v x ,v y ) de ladite courbe elliptique dont les coordonnees sont une paire de 
nombres entiers (v^Vy) ; 

= des moyens de transmission pour transmettre lesdites chaTne / de donnees d'identif ication et pai- 
re de nombres entiers (v Xl v y ) en vue de leur reception a ladite autre station qui inclut ledit dispositif 
de verification ; 

= des moyens de reception pour recevoir un nombre entier k en tant que def i de ladite autre station 
qui inclut ledit dispositif de verification ; 

= un moyen de calcul de courbe elliptique pour effectuer, sur ledit point Q(s,f) de ladite courbe el- 
liptique dont les coordonnees sont ladite paire de nombres entiers (s,f). un calcul de courbe el- 
liptique 

W[w„w y ) = U(u xt u y ) + k • Q(s,0 
pour calculer un point W{w x ,w y ) de ladite courbe elliptique dont les coordonnees sont une paire 
de nombres entiers (w^Wy) ; 
= des moyens de transmission pour transmettre ladite paire de nombres entiers (w Xf w y ) en vue de 
sa reception a ladite autre station qui inclut ledit dispositif de verification ; 

et 
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• ledit dispositif de verification comprend 

= des moyens d'entree destines a recevoir au moins ladite fonction f dudit dispositif d'autorite de 

conf iance au moyen desdits moyens de transfert de ceiui-ci ; 
= un moyen de memorisation pour au moins ladite fonction f transferee ; 

= des moyens pour calculer a partir de iadite chaTne / de donnees d'identif ication conformement a 
iadite fonction f ladite paire de nombres entiers (x,y) representatifs d'un point P(x,y) = f[l) de ladite 
courbe eliiptique ; 

= des moyens pour selectionner un nombre entier aleatoire k satisfaisant aux conditions 0 ^ k ^ 
<e-1); 

= des moyens de transmission pour transmettre ledit nombre entier aleatoire k en vue de sa re- 
ception en tant que defi a iadite station qui inclut ledit dispositif d'identif ication ; 

= des moyens de reception pour recevoir ladite paire de nombres entiers (w xt w y ) en reponse audit 
defi de ladite autre station qui inclut ledit dispositif d'identif ication ; 

= un moyen de calcul de courbe eliiptique pour effectuer, sur ledit point W(w xt w y ) de ladite courbe 
eliiptique dont les coordonnees sont ladite paire de nombres entiers (w x ,w y ), un calcul de courbe 
eliiptique 

Tfajx) - e - W(w„w y ) 
pour calculer un point T,(t^ti) de iadite courbe eliiptique dont les coordonnees sont une paire 
de nombres entiers (U^U) ; 
= un moyen de calcul de courbe eliiptique pour effectuer, sur ledit point W(w x ,w y ) de ladite courbe 
eliiptique dont les coordonnees sont ladite paire de nombres entiers {w x ,w y ) t un calcul de courbe 
eliiptique 

pour calculer un point Tsffcjh) de ladite courbe eliiptique dont les coordonnees sont une paire 
de nombres entiers (kjh) * et 
= des moyens pour comparer entre elles lesdites paires de nombres entiers ,f 1y ) et {t 2 J 2 ) de fa- 
con a determiner si les deux conditions de test f 1x = t 2x et t iy = f^sont satisfaites par lesdites paires 
de nombres entiers (U X M) et ; 

de sorte que le dispositif de verification est capable de determiner si un dispositif d'identif ication est ve- 
ritable. 

Systeme de cryptographie selon la revendication 34, dans lequel 

• ledit dispositif d'autorite de conf iance comprend en outre des moyens de transfert pour transferer 
ladite fonction f a un an nuaire public qui peut etre interroge par toute station pour y memoriser loca- 
lement ladite fonction f ; 

• ledit dispositif d'identif ication comprend 

= des moyens pour calculer un nombre entier a conformement a une equation 
as[(y2/x) - x 2 ](modm) 
dans le cas ou la valeur/ = 4 a ete selectionnee et conformement a une 6quation a = 0 dans le 
cas ou la valeur; = 3 a ete selectionnee pour ledit nombre entier /au generateur de trappe, auquel 
dernier cas on peut en pratique se passer des moyens pour calculer un nombre entier a ; 

= des moyens pour selectionner un nombre entier aleatoire r satisfaisant aux conditions 0 ^ r ^ 
m ; 

= un moyen de calcul de courbe eliiptique pour effectuer, sur ledit point P(u, v) de ladite courbe el- 
iiptique dont les coordonnees sont ladite paire de nombres entiers (u,v), un calcul de courbe el- 
iiptique 

U(u Xf u y ) = r-P(x f y) 

pour calculer un point U{u x ,u y ) de iadite courbe eliiptique dont les coordonnees sont une paire de 
nombres entiers {u x ,u y ) ; 
= un moyen de calcul de courbe eliiptique pour effectuer, sur ledit point U^Uy) de ladite courbe 
eliiptique dont les coordonnees sont ladite paire de nombres entiers (u xi u y ), un calcul de courbe 
eliiptique 

V(v»Vy) = e • U{u»u y ) 

pour calculer un point V(v x% v y ) de ladite courbe eliiptique dont les coordonnees sont une paire de 
nombres entiers (v x ,v y ) ; 

= des moyens de transmission pour transmettre lesdites chaTne /de donnees d'identif ication et pai- 
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re de nombres entiers ( v„ v y ) en vue de leur reception a ladite autre station qui indut ledit dispositif 
de verification ; 

= des moyens de reception pour recevoir un nombre entier k en tant que defi de ladite autre station 
qui indut ledit dispositif de verification ; 

= un moyen de calcul de courbe elliptique pour effectuer, sur ledit point Q(s,f) de ladite courbe el- 
liptique dont les coordonnees sont ladite paire de nombres entiers (s,f), un calcul de courbe el- 
liptique 

W(w xt w y ) = U(u„u y ) + k- Q(s,f) 
pour calcuier un point W(w x ,w y ) de ladite courbe elliptique dont les coordonnees sont une paire 
de nombres entiers {w„w y ) ; 
= des moyens de transmission pourtransmettre ladite paire de nombres entiers (w xt w y ) en vue de 
sa reception a ladite autre station qui indut ledit dispositif de verif ication ; 

et 

• ledit dispositif de verification comprend 

= des moyens pour interroger un an nuaire public pour en recevoir le transfert d'au moins ladite fonc- 
tion f ; 

= un moyen de memorisation pour au moins ladite fonction f transferee ; 

= des moyens pour calcuier a partir de ladite chaTne / de donnees d'identif ication conformement a 
ladite fonction f ladite paire de nombres entiers (x,y) representatifs d'un point P(x,y) = f{!) de ladite 
courbe elliptique ; 

a des moyens pour selectionner un nombre entier aleatoire k satisfaisant aux conditions 0 ^ k ^ 

= des moyens de transmission pour transmettre ledit nombre entier aleatoire k en vue de sa re- 
ception en tant que def i a ladite station qui indut ledit dispositif d'identif ication ; 

= des moyens de reception pour recevoir ladite paire de nombres entiers (w xt w y ) en reponse audit 
defi de ladite autre station qui indut ledit dispositif d* identification ; 

= un moyen de calcul de courbe elliptique pour effectuer, sur ledit point W{w x ,w y ) de ladite courbe 
elliptique dont les coordonnees sont ladite paire de nombres entiers {w xt w y ), un calcul de courbe 
elliptique 

UU,U) = e • W(w x .w y ) 
pour calcuier un point T^t^U) de ladite courbe elliptique dont les coordonnees sont une paire 
de nombres entiers (UJk) "» 
= un moyen de calcul de courbe elliptique pour effectuer, sur ledit point W{w x ,w y ) de ladite courbe 
elliptique dont les coordonnees sont ladite paire de nombres entiers {w x ,w y ), un calcul de courbe 
elliptique 

= V(v„v y ) + k-P(x,y) 

pour calcuier un point Tdf^ti) de ladite courbe elliptique dont les coordonnees sont une paire 
de nombres entiers (fc,.^) I et 
= des moyens pour comparer entre elles lesdites paires de nombres entiers (U^U) et {t^Jz) de fa- 
con a determiner si les deux conditions de test U x = t 2x et f 1f = fe, sont satisfaites par lesdites paires 
de nombres entiers (U M ,U) et (t 2 ^t 2 ) ; 
de sorte que le dispositif de verification est capable de determiner si un dispositif d'identif ication est' ve- 
ritable. 

38. Systeme de cryptographie selon une quelconque des revendications 35 a 37, dans lequel lesdits moyens 
pour selectionner un nombre entier aleatoire k et lesdits moyens de transmission pour transmettre ledit 
nombre entier aleatoire k en tant que defi sont realises en vue d'une mise en ouevre recurrente un nombre 
multiple de fbis au cours d'une session d'identif ication. 
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